A user just e-mailed me asking how to digitally sign e-mail messages sent using ColdFusion tag. Well, as it so happens, this was just added as a feature to ColdFusion 9. You can now specify the following, both as defaults in ColdFusion Administrator, and as attributes:

  • KEYALIAS – Alias specifying which certificate and private key within the keystore to use.
  • KEYPASSWORD – Password for your private key.
  • KEYSTORE – Path to the keystore containing the private key and certificate.
  • KEYSTOREPASSWORD – Exactly as the name suggests.
  • SIGN – TRUE/FALSE flag specifying whether or not to digitally sign generated e-mail.

There you go, in case you needed it, one more reason to upgrade!

4 thoughts

  1. Digitally signed email messages are used when you want to send mail and be sure the sender is who they say they are. As I am sure you know (from receiving spam, as an example) faking an SMTP sender is easy. Heck, CFMAIL lets you put whatever you want in the FROM field. Email was never meant to be that secure, so that’s usually ok. But for when you do need to guarantee that the sender is who they say they are, that’s when digitally signed emails are used.
    — Ben

  2. This is really confusing me – not the signing bit or how to sign, that makes perfect sense but which certificate to use, I’ve bought a Commodo Secure Email Certificate to use, which would seem obvious but trying to use it is proving to be more of a challenge to get it into the JKS store and make use of it – I’m sure it’s something completely obvious I’m missing but what that is eludes me!

Leave a Reply