We help IT Professionals succeed at work.

Securty Cert in Java/Cold Fusion

I have  cold fusion site running on Windows 2008.
I'm trying to connect to an outside web service and the admin on the other end is telling me I need to install this:  
I've never see this before or heard of the command that is needed to install it "Keytool".
I tried running keytool in Powershell and on the regular command line but it's not found.

How do I get the keytool utility installed and any other advise on installing this cert?  

I am running CF
The JRE  is 1.60_14

Watch Question

Most Valuable Expert 2015

Unfortunately, I can't stick around tonight, but keytool is executable included with the jvm. The exact location depends on which JVM the CF server is using.  You can find the path under the "Java & JVM" section of the CF Admin screen. For a default install, it's located in {cfroot}\jre\bin  . For example, in CF10 the default path for a single server install is:


The "keystore", or where certificate info is stored, is located in a file called "cacerts".  Again, the location varies, but the default keystore for CF is located at {cfroot}\jre\lib.  Example, in CF10 the default path for a single server install is:


Important: Keystore's are usually protected by a password. The default password is "changeit"  . Obviously, that's a hint that everyone should change the default password.  Just don't lose it or you'll be locked out!

To install a cert, run keytool.exe from the command prompt. If you have multiple versions of java installed, there can be multiple keystores.  A common mistake is importing the cert into the wrong keystore. Be sure you specify the FULL path to keytool.exe name at the command prompt, ie:

   c:\>  C:\ColdFusion10\jre\bin\keytool.exe -import  {... more arguments  here....}

You can find full details on how to install a cert in CF here:
I'm using CF9 on Windows 7 with IIS 7.5 so your ColdFusion paths might vary a little... If you need to install the cert exactly as entrust prescribes, then first download their cert file https://www.entrust.net/downloads/binary/entrust_2048_ca.cer

I created a folder called "certs" on my C: drive and saved the cert there.

Secondly, I opened the Windows command prompt as an "Administrator". I think on Server 2008 you can right click the command prompt icon and select run as "Administrator".

Now change directory to where the keytool is located. My path for CF9 on Windows 7 64Bit was: C:\coldfusion9\runtime\jre\bin

From this point just modify the sample instructions provided by entrust to install the cert. In my case I used the following line from the Windows command prompt:  
keytool -import -alias root -keystore C:\coldfusion9\runtime\jre\lib\security\cacerts -trustcacerts -file C:\certs\entrust_2048_ca.cer

You will need to enter the "keystore" password as described in the post by agx. Mine was set to the default of "changeit".

If the password is entered correctly, you will be asked if you trust this cert. Type "yes" and press enter.

That should be it if all goes well. I attached a screen shot of what the command prompt dialog will look like.