[java] How to make a machine trust a self-signed Java application

I'm deploying an application using JAWS, and it worked until late 2013 when I got a warning, and then this morning Java completely blocked it. The message in French is:

Application bloquée par les paramètres de sécurité
Vos paramètres de sécurité ont bloqué l'exécution d'une application auto-signée avec une version obsolete ou arrivée à expiration de Java.

which would translate roughly as:

Application blocked by the security settings
Your security settings have blocked from running an application that has been self-signed with an obsolete or outdated Java.

The grammar is not that clear, the end of the sentence could be read as either:

  • ...blocked a self-signed application from running with an obsolete or outdated Java [runtime], meaning that the local runtime is too old, but the self-signature is fine
  • ...blocked an application that has been self-signed with an obsolete or outdated Java [compiler], meaning that the Java compiler used is too old

I searched online for the exact same message in English, but I couldn't find it. So the grammar is still unclear. Note that on the message there is no Name: xyz / From: http://url/, there's only the text I typed above, and a blue "i" icon.

Now, I don't really understand the exact meaning of this error message, but I know that there is an issue because my JAR files are all self-signed. I have already faced this on other Windows clients, and it was easy:

  • I extracted a .cer certificate from my keystore;
  • Downloaded it on the client machine, open it;
  • Made the customers install it as a trusted source on their local machine.

It worked like a charm on my test setup and for one customer, but another one still has the issue and cannot run my software.

This is a big issue from me, and I don't know what to do. Should I upgrade my Java compiler, recompile everything, sign every JAR file again and cross fingers? How can I make that Windows box trust my certificate and let the Java application run?

This question is related to java security certificate java-web-start self-signed

The answer is


SERIOUS DISCLAIMER

This solution has a serious security flaw. Please use at your own risk.
Have a look at the comments on this post, and look at all the answers to this question.


OK, I had to go to the customer premises and found a solution. I:

  • Exported the keystore that holds the signing keys in PKCS #12 format
  • Opened control panel Java -> Security tab
  • Clicked Manage certificates
  • Imported this new keystore as a secure site CA

Then I opened the JAWS application without any warning. This is a little bit cumbersome, but much cheaper than buying a signed certificate!


I was having the same issue. So I went to the Java options through Control Panel. Copied the web address that I was having an issue with to the exceptions and it was fixed.


I had the same problem, but i solved it from Java Control Panel-->Security-->SecurityLevel:MEDIUM. Just so, no Manage certificates, imports ,exports etc..


Examples related to java

Under what circumstances can I call findViewById with an Options Menu / Action Bar item? How much should a function trust another function How to implement a simple scenario the OO way Two constructors How do I get some variable from another class in Java? this in equals method How to split a string in two and store it in a field How to do perspective fixing? String index out of range: 4 My eclipse won't open, i download the bundle pack it keeps saying error log

Examples related to security

Monitoring the Full Disclosure mailinglist Two Page Login with Spring Security 3.2.x How to prevent a browser from storing passwords JWT authentication for ASP.NET Web API How to use a client certificate to authenticate and authorize in a Web API Disable-web-security in Chrome 48+ When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site? How does Content Security Policy (CSP) work? How to prevent Screen Capture in Android Default SecurityProtocol in .NET 4.5

Examples related to certificate

Distribution certificate / private key not installed When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site? Cannot install signed apk to device manually, got error "App not installed" Using client certificate in Curl command Convert .cer certificate to .jks SSL cert "err_cert_authority_invalid" on mobile chrome only Android Studio - Unable to find valid certification path to requested target SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch Verify a certificate chain using openssl verify Import Certificate to Trusted Root but not to Personal [Command Line]

Examples related to java-web-start

SecurityException during executing jnlp file (Missing required Permissions manifest attribute in main jar) How to make a machine trust a self-signed Java application What is the difference between 'java', 'javaw', and 'javaws'? Java web start - Unable to load resource I am not able launch JNLP applications using "Java Web Start"?

Examples related to self-signed

Failed to load resource: net::ERR_INSECURE_RESPONSE How to disable SSL certificate checking with Spring RestTemplate? How to make a machine trust a self-signed Java application How to create a self-signed certificate for a domain name for development? How can I make git accept a self signed certificate? Getting Chrome to accept self-signed localhost certificate unsigned APK can not be installed How to export private key from a keystore of self-signed certificate