Search This Blog

Thursday, December 13, 2012

Certificates: Common Name, Subject Alternative Names and ColdFusion

This article is about an issue that raised its head whilst installing a 2048bit key certificate into our ColdFusion servers.

I have already written an article about getting the certificates installed into the Java Engine lying under ColdFusion.

Now we were having issues with a certificate and an connection to a partner site. The connection used to work until they upgraded their certificate to a 2048bit key length certificate.

We had successfully added the certificate to the java keystore, which we have done numerous times in the past, but with this certificate, whilst it was in the keystore we still could not connect.

In the end what we found was that the certificate was a multi domain certificate, this means that the certificate is valid for a number of different domains. In certificates this is supported by the use of an extension field called

Subject Alternative Name (SAN)

Now according to the RFCs, the way the domain should be checked is that the application should check the SAN field and then check the Subject field (specifically the Common Name (CN) entry. The CN entry will house just one domain.

So what we found was that when we connected to the server that was running on the domain listed in the CN, the connection would be ok. Now if we tried to connect to one of the domains listed in the SAN field (other than the  domain in the CN) the connection would fail.

We have then traced this problem to an issue with ColdFusion prior to version 9. It appears that CF7, CF8 do not check the SAN field and only the CN entry. This means you can use multi domain certificates in CF7, CF8.

To use/trust multi-domain certificates in ColdFusion you have to use CF9+.

The images below are to help visualise the above fields in the certifcates.

Image 1 is from an article on digicert that explains Subject Alternative Names ( I include here to show where you can see the SAN field, in addition the 2nd image is showing the CN entry in the Subject field (green outlined rectangle), from the University of California Davis )

IE 7 certificate subject details


Tuesday, December 11, 2012

2048bit key length certificates and Java (specifically ColdFusion)

Recently some of the partners we use have started to deploy certificates with key lengths of 2048bits. The 2048 bit length has become the standard accepted minimum key length for secure communication.

We have been using 2048bit key length for a couple for a few years now on our web sites, so we are not unused to them, however with the partners now using them it meant we had to trust these certificates. Now here comes the issue…. Our systems use ColdFusion and as such run on Java. Due to a US export policy which limited the key length US companies could provide outside the US. As such by default all versions of java up to 1.7, have this limitation and you would not be able to apply the certificate with a key length of 2048bit.

The way round this is to download the

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files

These files overwrite the existing policy files, and are available for download from Oracle, from what I can see there are policy files for

Java SE 7,  Java SE 6, Java SE 5, Java 1.4.2, Java  1.2.2

To install these policy files is very easy, down load the correct version and extract. You then need to grab 2 files

  • local_policy.jar
  • US_export_policy.jar

Now in the java environment you want to amend locate the following folder

i.e. (default for Java SE6)

c:\Program Files\Java\jre6\lib\security

In here you should find files of the same name, create copies of these files. Now overwrite the original files with the files extracted from the downloaded JCE Policy zip file.

Now you will have to restart the Java instance.

OK, so now you should be able to install the 2048bit Key Length certificate in to the keystore (cacerts).

Below is a couple of commands for how to list existing certificates in a keystore and then how to install a certificate.

The cacerts keystore is usually found somewhere like this. (but it will be wherever the java instance is installed)

c:\Program Files\Java\jre6\lib\security

List out certificates in keystore, and dump into a text file.

<Java home>\bin>keytool.exe -list -v -storepass changeit -noprompt -keystore <Java home>\lib\security\cacerts>c:\certificate.txt

Install Certificate CertificateFileName.crt into keystore

note: -storepass changeit, is the default password for the keystore which can be changed.

<Java home>\bin>keytool.exe -import -keystore <Java home>\lib\security\cacerts -alias anyNameYouWantToReferenceYourCertificateInKeyStore -storepass changeit –noprompt –trustcacerts -file C:\temp\CertificateFileName.crt