• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 725
  • Last Modified:

Can't Connect After Installing New Verisign Certificate

We use ColdFusion MX 6.1 to link to our library catalog via the cfhttp tag.  Our library catalog is a secure site with an installed Verisign Certificate.  The other day I renewed the certificate and made the appropriate changes in our Apache server.  After that coldfusion could not connect to our catalog (both ser sslv3 certificates).  So I rolled back to the original certificate and everything went back to normal.  Does anyone know what could be causing this?  Some caching problem with CF so it keeps trying to find the old certificate?

  • 3
  • 2
1 Solution
you probably need to import the new cert into the keystore

"To use HTTPS with the cfhttp tag, you might need to manually import the certificate for each web server into the keystore for the JRE that ColdFusion uses. This procedure should not be necessary if the certificate is signed (issued) by an authority that the JSSE (Java Secure Sockets Extension) recognizes (for example, Verisign); that is, if the signing authority is in the cacerts already. However, you might need to use the procedure if you are issuing SSL (secure sockets layer) certificates yourself.
To manually import a certificate:

   1. Go to a page on the SSL server in question.
   2. Double-click the lock icon.
   3. Click the Details tab.
   4. Click Copy To File.
   5. Select the base64 option and save the file.
   6. Copy the CER file into C:\CFusionMX7\runtime\jre\lib\security (or whichever JRE ColdFusion is using).
   7. Run the following command in the same directory (keytool.exe is located in C:\CFusionMX7\runtime\jre\bin):

      keytool -import -keystore cacerts -alias giveUniqueName -file filename.cer


from livedocs
kresgeladsAuthor Commented:
Couple of questions:

1)  I renewed the Verisign certificatewith another verisign certificate, therefore the problem can't be because I'm using a self signed certificate.

2)  when you use the term "giveUniqueName" I assume it's the full domain name of the site, e.g.  "mysite.oakland.edu"
it's quite possible that you still need to do the cert import. Also the cf service needs to be restarted after any cert update.

It also may be a bug in the jvm for  6.1 although if you dealt with the daylight savings change that's probably not the issue as you would have updated

the unique name does not have to be the fqdn just unique

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

kresgeladsAuthor Commented:

One final question:

when you say:  "Run the following command in the same directory (keytool.exe is located in C:\CFusionMX7\runtime\jre\bin)"

I assume you mean I should be in c:\cfusionmx7\runtime\jre\bin\lib\security
Thanks Again.

could be...The directory structure may have changed from 6.1 to 7 (I'm on 8 and it's in runtime\jre\bin) There is only one instance of keytool installed though so where ever it is should be the right place.

Hmm. I follow the instructions to the T. I hit the ENTER on the keytool command and I get "Enter keystore password?"
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now