"Errors found in the certificate" when calling initSAMLAuthRequest()

Question

I am playing around with the the SAML SP and IdP configurations in CF2021. I am using CF as both IdP and SP.

When I call initSAMLAuthRequest() I receive the following error:

coldfusion.util.KeystoreUtils$CertificateException: Errors found in the certificate at coldfusion.saml.SamlHelper.stringToCert(SamlHelper.java:779)

I assume this error is related to the IdP certificate. This certificate is a self-signed certficate that was generated with the following command:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
-nodes -keyout idp.key -out idp.crt \
-subj "/C=US/O=IdP Test/OU=SSO/CN=test.internal" \
-addext "subjectAltName=DNS:test.internal,IP:192.168.1.2"

I used the Manual IdP configuration option and pasted the contents of idp.key into the Signing Certificate box without the ----BEGIN|END PRIVATE KEY----- bits. It looks like MIIJQg....Tnw==

If I leave the -----BEGIN PRIVATE KEY----- bits in there then then I receive an error saying "The input string is not base64 encoded. Cannot decode string '-----BEGIN PRIVATE KEY-----MIIJQg...'"

I have not had much luck finding examples of Manual IdP configuration or requirements for certificates. Do I need to import these certificates into the CFAS JKS files? Is there something missing or wrong with how I am generating this certficate?

Any hints?

sharp_quirk16B6 · Accepted Answer

Answering my own question:Enter the public certificate in the IdP configuration, not the private key. Whoops. The next issue I encountered was a password incorrect issue when ColdFusion was trying to access the PKCS12/PFX file to get the SAML SP key pair.  This was resolved by updating Java in my docker container from the default 11.0.11 that came with the official adobecoldfusion/coldfusion2021:latest image to the current 11.0.22 downloaded from https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html. I used the following commands to update my CFAS container:      wget -nc https://cfdownload.adobe.com/pub/adobe/coldfusion/java/java11/java11022/jdk-11.0.22_linux-x64_bin.deb     docker cp jdk-11.0.22_linux-x64_bin.deb cfas:/opt     docker exec -itu0 cfas dpkg --install /opt/jdk-11.0.22_linux-x64_bin.deb     docker exec -itu0 cfas sed -i "/java.home=/c\java.home=/usr/lib/jvm/jdk-11-oracle-x64" /opt/coldfusion/cfusion/bin/jvm.config     docker exec -itu0 cfas rm /opt/jdk-11.0.22_linux-x64_bin.deb     docker restart cfas

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded