ColdFusion, CFHTTP with SSL and the dreaded Peer Not Authenticated error
September 17 2012 by 
Marc Funaro
Fought this for a couple days, posting to help others.
If you're using CFHTTP to make a call to a secured (HTTPS) host, you may get an error in response... "Peer Not Authenticated".
If you google this, you should discover that: ?You probably need to import the entire certificate chain of the host you're attempting to reach, and that you need to use the KEYTOOL command line app to do this. ?This information appears in the Adobe knowledge base.
However, what may be unclear:
- How to get the certificates onto your system;
- How and where to import them
- The fact that there are TWO places you need to do this.
Getting the certificates onto your system is the easiest part. ?For simplicity I've described how to do this using Internet Explorer.
- Enter the URL of the host you are attempting to reach, into the browser's address bar;
- Verify the certificate for the host is valid and not expired;
- Click the lock icon next to the address bar;
- Click the Certification Path tab. ?THIS SHOWS YOU THE ENTIRE CERTIFICATE PATH... to ensure this works, you'll be saving EACH of the listed certifcates to your system. ?Make note of the lowest certificate's name, you'll need this in a moment. ?When you go to the Details tab, you'll be first working with the LOWEST certificate in the chain;
- Import the certificate by clicking the Details tab; click the Copy To File... button.
- Save it in DER format, and give it a name similar to the name that showed for this lowest certificate on the Certification Path tab, and save it to your hard drive where you can find it later.
- Next, go back to the Certification Path tab, and find THE NEXT CERTIFICATE UP from the one you just saved. ?Make note of it's name, then double-click it.
- Repeat steps 5-7 for this and each certificate in the chain.
Now you should have one or more certificates saved to your hard drive. ?The next step is to import them into the storage area used by ColdFusion to trust remote secure hosts. ?This SHOULD be easy, however, two factors come into play: ?Which Java runtime ColdFusion is using, and which file(s) are used for the storage area.
In my case, I spent time importing three certificates into all the CASTORE files on my entire C:\ drive, after trying in vain to use the one noted in the adobe article. ?I later discovered that yes, the CASTORE file I needed was the one in the subdirectory of the JAVA HOME path that appears in ColdFusion admin's settings summary. ?This helped, but still wasn't the whole story.
I later learned in a TEENY TINY TIDBIT inside another person's comment on an obscure blog post that you also should import the certificate(s) into the file named TRUSTSTORE. ?In my case, the only relevant TRUSTSTORE file was found in C:\JRun4\lib.
To top it off, after you import to the correct CACERTS and TRUSTSTORE files, you need to restart CF in order for the new certs to be recognized.
Lastly, I got really sick and tired of using the command line interface... so I downloaded the free?KeyStore Explorer 4.1.1 ?from this website:
Which made opening and viewing the storage area files, and properly importing the certificates, much much easier.
If when using KeyStore explorer you get an alert saying the certificate could not be trusted during import, just proceed to view it in that app (it will show it to you automatically) and then respond "OK" when asked if you're sure.
Hope this saves someone else some trouble.
Posted in ColdFusion | 
0 comments