I'm using SSO with a generated SP and would like to be able to transfer 509 certs between environments. When using signed 509 cert for the Service Provider (CF Generated), the listed password to open that keystore doesn't work. Is there a step I'm missing? /cfusion/lib/saml/<Generated509.p12> KeyStoreFile = the .p12 file signKeystorePassword is listed in the neo-saml.xml file, but not working or encrypted. Any help is appreciated, Thanks

So it works on one environment, but same file and same passwords don't work on the other environment?

Hi Denny, Correct, If I copy the .p12 file and neo-saml.xml to another server, I receive an error when testing. I had to generate a new .p12 for each server.

Are both servers at the same versions/updates? I wonder if there's a salt in there based on the server. There may be another neo file to copy or something.

Both ColdFusion 2021 HF 14

It seems like maybe a security feature, since the SP is CF generated, so you may need to copy more than just the the store and password but I don't know what more… are you trying to just copy that bit or make a duplicate server?

Really I have a couple of use cases, for additional team developer each with their local ColdFusion, it would be nice to copy neo-saml.xml and .p12 to each to allow local SSO access. Second, use case, when either upgrading to 2023+ or upgrading just the servers, I don't want to generate additional metadata to send to the IDP. Should be able to use the existing.

I'd think you should be able to manually check the files and see if it works from the commandline using like openssl

Doesn't work with Keytool -list -keystore <path to keystore>.p12 -storepass <encryptedpassword>

That would make a lot of sense!

Ok, will need to research it a bit, as i haven't use either cfconfig or commandbox

Sure thing! And I don't know how useful that would be, FWIW. Might be easier to see if copying the salt works, as to do the stuff you want to do, some programmatic solution won't work anyway

Well if the salt is the cfadmin salt, then probably don't want to blow over that as the user wouldn't be able to login again, I think.

Yeah, I was thinking that IIRC, you need the salt to import/export datasource passwords, so that logic is already in cfconfig, and what it does is decrypt and encrypt the password using the instance's salt, versus copying the salt from the old instance to the new.