DEV Community

James Moberg
James Moberg

Posted on

1 1

ColdFusion Test for new Amazon Trust Services Certificates

I received an email notification from Amazon that Amazon S3 and Amazon CloudFront were migrating default certificates to Amazon Trust Services in March 2021.

In 2018, AWS announced a broad migration of AWS services' SSL/TLS certificates to our own Certificate Authority, Amazon Trust Services. Consistent with this change, and beginning March 2021, Amazon S3 and Amazon CloudFront will begin migrating the Certificate Authority for each services' default certificate. Using our own Certificate Authority, AWS services can better manage the security practices used to handle our default certificates.

Your action may be required to ensure your applications continue normal operation after this change. If you already use other AWS services, your application most likely already trusts Amazon Trust Services as many AWS services have already migrated. Visit https://www.amazontrust.com/repository/ for more information about Amazon Trust Services.

To prepare for this migration, visit the announcement blog or review the FAQs below:
https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/

As a ColdFusion developer, I use Amazon S3 for a couple projects. I've encountered issues in the past and have had to resort to using S3Express: Amazon S3 Command Line Utility to improve performance, thread stability and avoid time-outs. I continue to use CFML to access S3 to generate real-time, time-expiring download links for digital downloads.

I've also accessed some websites via CFHTTP that are hosted by Amazon CloudFront. I decided to check to determine if I needed to manually import the certificates into the trust store or if it would just work. (NOTE: I prefer using CFX_HTTP5 and it worked without having to make any code changes or manually import any certificates. CURL also worked. They both use WinHttp API which leverages the certificates that are updated automatically by Microsoft.) Since this was announced back in 2018, I figured Adobe was on top of this and would have added it to ColdFusion 2018, but it appears that they didn't. (I'm not sure if they've added it to CF2020. Could someone check on that?)

Here's a ColdFusion script that I wrote that performs GET requests using the currently available test URLs:

I noticed that the new AWS certificates work when testing TryCF and I'm not sure why. (Are they using a proxy?) If you test using CFFiddle, a connection failure error is returned.

TryCF.com Demo

https://www.trycf.com/gist/829e15110b1f8b81576e1782f760475d

Source Code

<!--- 20200323 Test to determine if your ColdFusion Application Server can connect to Amazon Trust Services certificates.
BLOG: https://dev.to/gamesover/coldfusion-test-for-new-amazon-trust-services-certificates-1k6o
TryCF: https://www.trycf.com/gist/829e15110b1f8b81576e1782f760475d
Try this on your installation of ColdFusion. (Proof that it works in a separate test environment is not the same as it working in production.)
NOTE: Also try this at https://cffiddle.org/ (It works on TryCF, but I think it may be due to proxied requests.)
--->
<cfset AmazonTrustServices = [
{
"CN" = "Amazon Root CA 1",
"O" = "Amazon",
"C" = "US",
"U" = "https://good.sca1a.amazontrust.com/"
},
{
"CN" = "Amazon Root CA 2",
"O" = "Amazon",
"C" = "US",
"U" = "https://good.sca2a.amazontrust.com/"
},
{
"CN" = "Amazon Root CA 3",
"O" = "Amazon",
"C" = "US",
"U" = "https://good.sca3a.amazontrust.com/"
},
{
"CN" = "Amazon Root CA 4",
"O" = "Amazon",
"C" = "US",
"U" = "https://good.sca4a.amazontrust.com/"
},
{
"CN" = "Starfield Services Root Certificate Authority - G2",
"O" = "Starfield Technologies, Inc.",
"L" = "Scottsdale",
"ST" = "Arizona",
"C" = "US",
"U" = "https://good.sca0a.amazontrust.com/"
}
]>
<p>In 2018, AWS announced a broad migration of AWS services' SSL/TLS certificates to our own Certificate Authority,
Amazon Trust Services. Consistent with this change, and beginning March 2021, Amazon S3 and Amazon CloudFront will
begin migrating the Certificate Authority for each services' default certificate. Using our own Certificate Authority,
AWS services can better manage the security practices used to handle our default certificates.</p>
<p>Your action may be required to ensure your applications continue normal operation after this change. If you already
use other AWS services, your application most likely already trusts Amazon Trust Services as many AWS services have
already migrated. Visit <a href="https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/">https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/</a>.</p>
<cfset serviceCount = arraylen(AmazonTrustServices)>
<cfloop from="1" to="#serviceCount#" index="i">
<cfset thisService = AmazonTrustServices[i]>
<fieldset>
<cfoutput><legend>[#i#/#serviceCount#] #thisService.CN#</legend>
<p>#thisService.U#</p>
</cfoutput>
<cftry>
<cfhttp url="#thisService.U#" method="get" redirect="no" getasbinary="never" timeout="5">
<cfif isdefined("CFHTTP.StatusCode") AND VAL(CFHTTP.StatusCode) IS 200>
<h3 style="color:green;">Success</h3>
<cfdump var="#cfhttp#" expand="false">
<cfelse>
<h3 style="color:red;">Fail</h3>
<cfdump var="#cfhttp#">
</cfif>
<cfcatch>
<h3 style="color:red;">Fail/CFError</h3>
<cfdump var="#cfcatch.message#">
</cfcatch>
</cftry>
</fieldset>
</cfloop>

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay