Enabling SSL

Keytool Examples
The following examples use the default Windows locations and options for the keytool program. Substitute the paths and option values with the correct ones for your specific systems. For example, the default password for cacerts is changeit; substitute the keystore and store password with the correct values for your system.

To import the cert:

For JDK:

For Breeze:

For CFMX Server configuration:

For Dreamweaver (including CPS and CFMX Multiserver config):

For Flex Builder (1.5):

For Flex Builder 2 (Alpha):

For JRun (including CPS, Flex, and CFMX Multiserver config):

Use the list option to verify the cert was successfully imported:

For me it is not enough to simply list the certs in the keystore. I often have customers who import the wrong certificate into the right store, or the right certificate into the wrong store. To properly diagnose the problem you need to examine the SSL handshake in the JVM. To do this enable JVM debugging by passing -Djavax.net.debug=all (be sure you include the dash) to the JVM. For greater detail in analyzing the debugging stack trace see http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/ReadDebug.html.

Debugging Example
For this example I'm using CFMX 7 on my laptop with a certificate with a subject of ssargent03.macromedia.com. I'm running CF from the command-line (c:\CFusionMX7\bin\cfstart).

In general I'm looking for three things :

• The trustore being used by the JVM. Verify that this is the same trustStore into which you imported the server certificate:
  trustStore is: C:\CFusionMX7\runtime\jre\lib\security\cacerts trustStore type is : jks
  
• The imported certificate being added as a trusted cert. Like the keytool -import command, this verifies that the certificate is imported into the JVM's truststore and is being trusted at runtime:
  adding as trusted cert: Subject: CN=ssargent03.macromedia.com, OU=Product Support, O=Macromedia, L=Gilbert, ST=Arizona, C=US Issuer: CN=EETG, OU=ColdFusion EET, O=Macromedia, L=Newton, ST=Massachusetts, C=US, EMAILADDRESS=certAdmin@macromedia.com Algorithm: RSA; Serial number: 0x157cfa3b0003001260bc Valid from Tue Nov 22 08:23:43 MST 2005 until Wed Nov 22 08:33:43 MST 2006
  
• The identity of the trusted certificate used in the handshake. Verify the Subject, Validity, Issuer, and most importantly Serial Number. If any of these attributes are not valid, then you imported the wrong certificate or the wrong cert is being used for the handshake:
  Found trusted certificate: [ [ Version: V3 Subject: CN=ssargent03.macromedia.com, OU=Product Support, O=Macromedia, L=Gilbert, ST=Arizona, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: SunJSSE RSA public key: .... Validity: [From: Tue Nov 22 08:23:43 MST 2005, To: Wed Nov 22 08:33:43 MST 2006] Issuer: CN=EETG, OU=ColdFusion EET, O=Macromedia, L=Newton, ST=Massachusetts, C=US, EMAILADDRESS=certAdmin@macromedia.com SerialNumber: [ 157cfa3b 00030012 60bc]
  

The JVM should see the certificate presented by the server (remote or local) and try to match it to those in its truststore.

Using the keytool can be intimidating. There are GUI keytools available online. I use the Keytool GUI (now called Keystore Explorer) from Wayne Grant.

So now you know my secret -- try it out before you call Macromedia Support! ;)

Comments (0) | Print | Send | del.icio.us | Digg It! | Linking Blogs