3 Replies Latest reply on Feb 19, 2008 12:17 AM by edervaux

    CF8 Use of clientCert and cfhttp

    edervaux
      Dears,

      In coldfusion 8, we are trying to implement a web service call in secured mode (use of ssl and client certificate).
      we used therefore new elements clientCert and clientCertPassword into cfhttp command.
      we received a Connection Failure as a result (coldfusion side).

      At web server of producer side (Apache), we receive an error HTTP 400:
      172.21.160.124 - - [04/Feb/2008:13:18:23 +0100] GET / 400 472 - - -

      Any idea / hint would be welcome ;)

      code page is attached
        • 1. Re: CF8 Use of clientCert and cfhttp
          edervaux Level 1
          Another important element:
          the certificate .p12 is not a certificate trusted by a Certificate Authority like Verisign.
          It is one that we generated at our side.
          Is there maybe a specific configuration to do in this case in ColdFusion or in our machine (Windows 2003 Server)?
          • 2. Re: CF8 Use of clientCert and cfhttp
            mjsale
            Hi

            I am actually running into the same issue her eon my end with a p12 cert.. Have you found anything else? I get the same connection error as well. Here's my code.. I tried both sending garble to the service and actual soap messages.

            <CFSAVECONTENT variable="myXML">
            hello
            </CFSAVECONTENT>


            <CFHTTP
            method="post"
            url="https://198.136.211.18/axis/services/TPGSecureLink"
            port="8448"
            clientCert = "c:\inetpub\wwwroot\adirondack3.p12"
            clientCertPassword = "xxxxx"
            result="getout">

            <CFHTTPPARAM type="header" name="SOAPAction" value="">
            <CFHTTPPARAM type="xml" value="#myXML#">
            </CFHTTP>

            <CFDUMP var="#getout#">
            • 3. Re: CF8 Use of clientCert and cfhttp
              edervaux Level 1
              Hi,

              yes we went further. But this is not so easy.

              Explanation:

              Before an SSL connection can be established with CFHTTP to a server the certificate of that server needs to be imported as a trusted certificate in the ColdFusion truststore with the keytool command. The command to do so is:
              keytool -import -trustcacerts -keystore cacerts -storepass <password> -noprompt -alias <alias> -file <certfile>
              If you use another CA certificate authority, then you also have to import the CA into the ColdFusion truststore.

              Before a client certificate can be used it needs to be in a specific format, pkcs. Of course this client certificate must contain the private key.
              You also have to import the client certificate into the Windows Certificate Store (if you run under a windows desktop/server).
              In your ColdFusion cfhttp tag, use this .pkcs certificate file.

              Tell me if it works like this :)