3 Replies Latest reply on May 22, 2015 10:45 AM by Wilgeno

    ColdFusion Trusted Keystore

    sdsinc_pmascari Level 2

      We're getting messages from PayPal about the need to update to a VeriSign G5 root certificate if we access their API.  We call the API with CFHTTP using ColdFusion 10.  Does anyone know if the G5 certificate is in the CF10 keystore?  Or, is this something that needs installed on the OS (Win 2008)?

        • 1. Re: ColdFusion Trusted Keystore
          Jamo Level 2

          ColdFusion 10 "should" be fine.  If you use ColdFusion 9, you may need to upgrade to latest Java JDK (1.7.0_80).  If the SSL certificate is SAN/SNI and uses a mixed-case domain, CF9 may have problems (ie, FirstData), but this is fixed in CF10. Bug#3566218 - CFHTTP/CFInvoke Fails with SSL Certificates using Subject Alternative Names (SAN)


          Have you tried performing an CFHTTP request to both of the following domains mentioned in the announcement?


          • If you really want to future-proof your integration, try our optimized API endpoints - api-s.paypal.com (Live) and api-s.sandbox.paypal.com (Sandbox) - which already support G5 Trusted Root Certificates and SHA-256.


          If those domain certs work, you should be fine.  If they don't work (for whatever reason), you may want to check out CFX_HTTP5.  I've used it and ColdFusion 8, 9 & 10 all work the same with the above SAN/SNI certs.

          • 2. Re: ColdFusion Trusted Keystore
            Jamo Level 2

            FYI: If you use Authorize.net, they are performing a similar SSL SHA-256 SAN/SNI upgrade on May 26 2015 (tomorrow).

            https://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Production-C ertificate-Upgrades-begin-May-…


            ColdFusion 8 won't be able to connect as Java 1.6.0_x doesn't support SHA-256.


            ColdFusion 9 *may* encounter issues due to Adobe's (not Java's) SAN/SNI bug, but I'm not sure.


            ColdFusion 10 should be fine.  If not, the root certificates are available via the above link.

            • 3. Re: ColdFusion Trusted Keystore
              Wilgeno Level 1

              Actually ColdFusion 8 on Java 1.6.0_45 DOES support SHA-2 (256bit) and does so with Authorize.net that is also making the same change. The issue so far that I've seen in my testing is that ColdFusion 8 using CFHTTP on Java 1.6 does NOT support SAN type SSL Certificates. This has nothing to do with the encryption level of the SSL.  SAN is Subject Alternate Name which means the SSL Certificate is designated for multiple domain names instead of just one. PayPal appears to be moving to SAN SSL certificates as well as moving to SHA-2 encryption.


              The "keystore" is NOT ColdFusion's, but rather comes with the Java that is installed with ColdFusion. If you upgrade your Java version for ColdFusion to the newest available for CF9 (Java 1.7.0_71), CF10&CF11 (Java 1.8.0_45) then you will be default get a new keystore. You can also replace the Java 1.6 keystore with the Java 1.8 keystore. Or you can use the java keytool command to import new root CA certs.


              There are several possible solutions available to update the keystore.



              Wil Genovese

              Sr. Web Application Developer / Systems Administrator

              CF Webtools