This discussion is archived
12 Replies Latest reply: Dec 6, 2012 11:15 AM by 226794 RSS

Webstart security warning for "expired certificate" which is not expired

914420 Newbie
Currently Being Moderated
Occasionally we are seeing a security warning when starting a WebStart application on Java 7. The warning is about an expired certificate ("digital signature has expired").
(german) http://img194.imagevenue.com/img.php?image=47970_screenshot_3_122_249lo.jpg

When looking at details offered by the dialog, the certificate period is not expired, actually. At the time of this writing, the certificate was recently renewed and starts about a week in the past, and ends in two years.
(german) http://img212.imagevenue.com/img.php?image=47056_screenshot_1_122_668lo.jpg

First I thought that this might be caused by not signing the JNLP itself because the the security details warn about an unsigned JNLP:
(german) http://img156.imagevenue.com/img.php?image=47057_screenshot_2_122_409lo.jpg

Furthermore, this post seems to indicate that JNLP signing might be mandatory:
How to sign a auto generated JNLP file....

The JNLP spec describes this as optional. What else could be the problem here?

Edited by: wl on Oct 11, 2012 12:06 PM
  • 1. Re: Webstart security warning for "expired certificate" which is not expired
    817614 Explorer
    Currently Being Moderated
    You can turn on tracing to get more debug info. See: http://docs.oracle.com/javase/7/docs/webnotes/tsg/TSG-Desktop/html/plugin.html#gcexdf
  • 2. Re: Webstart security warning for "expired certificate" which is not expired
    914420 Newbie
    Currently Being Moderated
    Thanks. After removing the certificate from the list of trusted certificates I am getting the same security box again, this time with trace enabled. Unfortunately it is not very helpful. Meanwhile I discovered that the jars were signed without using a timestamp server (a regression in the build script a while ago). Hopefully using a timestamp server resolves it...

    Edited by: wl on Oct 15, 2012 2:17 PM
  • 3. Re: Webstart security warning for "expired certificate" which is not expired
    914420 Newbie
    Currently Being Moderated
    wl wrote:
    Thanks. After removing the certificate from the list of trusted certificates I am getting the same security box again, this time with trace enabled. Unfortunately it is not very helpful. Meanwhile I discovered that the jars were signed without using a timestamp server (a regression in the build script a while ago). Hopefully using a timestamp server resolves it...
    No luck, again. Using tasurl "https://timestamp.geotrust.com/tsa" for signing did not make a difference. There is still a security box claiming an expired signature. I verified that the timestamp server was actually used by looking into META-INF/MINT_SIG.RSA - the file contains the string "geotrust". Also, I did a "jarsigner -verifiy -verbose" on each jar file in the jnlp. Every file is marked "sm" (signature was verified, entry is listed in manifest).

    I am out of ideas. Any advice? Thanks in advance.
  • 4. Re: Webstart security warning for "expired certificate" which is not expired
    914420 Newbie
    Currently Being Moderated
    ntn wrote:
    You can turn on tracing to get more debug info. See: http://docs.oracle.com/javase/7/docs/webnotes/tsg/TSG-Desktop/html/plugin.html#gcexdf
    Meanwhile I've got the correct trace (ignore my trace from last week). I cannot post it here because it exceeds 30k. See below for a shortened version. After this the security dialog appears with this hint: The application's digitial signature has expired.

    Java Web Start 10.7.2.10
    Using JRE version 1.7.0_07-b10 Java HotSpot(TM) 64-Bit Server VM
    ----------------------------------------------------
    c: clear console window
    f: finalize objects on finalization queue
    g: garbage collect
    h: display this help message
    m: print memory usage
    o: trigger logging
    p: reload proxy configuration
    q: hide console
    r: reload policy configuration
    s: dump system and deployment properties
    t: dump thread list
    v: dump thread stack
    0-5: set trace level to <n>
    ----------------------------------------------------
    basic: Java part started
    basic: jnlpx.jvm: C:\Program Files\Java\jre7\bin\javaw.exe
    basic: jnlpx.splashport: 59764
    basic: jnlpx.remove: false
    basic: jnlpx.heapsize: null
    network: Loading user-defined proxy configuration ...
    network: Done.
    network: Browser is FirefoxURL
    network: Browser is Firefox
    network: Loading proxy configuration from Netscape Navigator ...
    network: Proxy enable: 0
    network: Done.
    network: Loading direct proxy configuration ...
    network: Done.
    network: Proxy Configuration: No proxy
    security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
    security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
    security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
    security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
    security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
    security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
    security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
    security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
    security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
    security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
    security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
    security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
    security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
    security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
    security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
    security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
    basic: Running JVMParams: [JVMParameters: isSecure: true, args: ]
         -> [JVMParameters: isSecure: true, args: ]
    network: Created version ID: 1.7.0.07
    network: Created version ID: 1.7
    network: Created version ID: 2.2.0
    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/Assistant.jnlp, version: null] prevalidated=false/0
    cache: Resource https://tnimern.xxx.com/tnimern/Assistant.jnlp has expired.
    cache: Resource https://tnimern.xxx.com/tnimern/Assistant.jnlp has cache control: no-cache.
    network: Connecting https://tnimern.xxx.com/tnimern/Assistant.jnlp with proxy=DIRECT
    network: Connecting socket://tnimern.xxx.com:443 with proxy=DIRECT
    security: Loading Root CA certificates from C:\Program Files\Java\jre7\lib\security\cacerts
    security: Loaded Root CA certificates from C:\Program Files\Java\jre7\lib\security\cacerts
    security: Loading SSL Root CA certificates from C:\Program Files\Java\jre7\lib\security\cacerts
    security: Loaded SSL Root CA certificates from C:\Program Files\Java\jre7\lib\security\cacerts
    security: Loading certificates from Deployment session certificate store
    security: Loaded certificates from Deployment session certificate store
    security: Loading certificates from Internet Explorer ROOT certificate store
    security: Loaded certificates from Internet Explorer ROOT certificate store
    security: Checking if certificate is in Deployment denied certificate store
    network: ResponseCode for https://tnimern.xxx.com/tnimern/Assistant.jnlp : 304
    network: Encoding for https://tnimern.xxx.com/tnimern/Assistant.jnlp : null
    network: Disconnect connection to https://tnimern.xxx.com/tnimern/Assistant.jnlp
    temp: new XMLParser with source:
    temp: <?xml version="1.0" encoding="ISO-8859-1"?>
    <jnlp xmlns:jfx="http://javafx.com" spec="1.0+" href="Assistant.jnlp" codebase="https://tnimern.xxx.com/tnimern/">
    <information>
    <title>TNIM Assistant</title>
    <vendor>VENDOR</vendor>
    <homepage href="index.html"/>
    <description>TNIM Assistant</description>
    <offline-allowed/>
    <icon href="pics/logo_people.jpg" kind="splash"/>
    <icon href="pics/address_book3.png"/>
    </information>
    <security>
    <all-permissions/>
    </security>
    <resources>
    <j2se version="1.6+" max-heap-size="512m" language="" country=""/>
    <jfx:javafx-runtime version="2.2+" href="http://javadl.sun.com/webapps/download/GetFile/javafx-latest/windows-i586/javafx2.jnlp"/>
    <property name="tnim.ReportViewer" value="http://localhost:4712"/>
    <property name="tnim.WebserviceURL" value="https://tnimern.xxx.com/tnimern/rpcrouter"/>
    <property name="PDFServletURL" value="https://tnimern.xxx.com/tnimern/report?"/>
    <property name="tnim.defaultCustomer" value="tnimern"/>
    <property name="tnim.WebserviceGzipEnabled" value="true"/>
    <property name="tnim.url.show-on-login" value="http://www.yyy.tld/tnimern/login.html"/>
    <property name="tnim.url.show-on-dashboard" value="http://www.yyy.tld/tnimern/show-on-dashboard.html"/>
    <property name="tnim.url.customer-logo" value="http://www.yyy.tld/tnimern/logo_mwa_tnimern.png"/>
    <jar href="webstart/xfire-jsr181-api-1.0-M1.jar" main="false" download="eager"/>
    <jar href="webstart/activation-1.1.jar" main="false" download="eager"/>
    <jar href="webstart/AnimatedTransitions-0.11.jar" main="false" download="eager"/>
    <jar href="webstart/balloontip-1.0.jar" main="false" download="eager"/>
    <jar href="webstart/bcprov-jdk15-133.jar" main="false" download="eager"/>
    <jar href="webstart/commons-beanutils-1.7.0.jar" main="false" download="eager"/>
    <jar href="webstart/commons-codec-1.3.jar" main="false" download="eager"/>
    <jar href="webstart/commons-collections-3.2.jar" main="false" download="eager"/>
    <jar href="webstart/commons-digester-1.7.jar" main="false" download="eager"/>
    <jar href="webstart/commons-httpclient-3.0.jar" main="false" download="eager"/>
    <jar href="webstart/commons-io-1.3.1.jar" main="false" download="eager"/>
    <jar href="webstart/commons-lang-2.3.jar" main="false" download="eager"/>
    <jar href="webstart/commons-logging-1.0.4.jar" main="false" download="eager"/>
    <jar href="webstart/commons-net-3.0.1.jar" main="false" download="eager"/>
    <jar href="webstart/dockingFramesCore.jar" main="false" download="eager"/>
    <jar href="webstart/dockingFramesCommon.jar" main="false" download="eager"/>
    <jar href="webstart/flexgantt-1.1.7.jar" main="false" download="eager"/>
    <jar href="webstart/forms-1.0.7.jar" main="false" download="eager"/>
    <jar href="webstart/foxtrot-core-3.0.jar" main="false" download="eager"/>
    <jar href="webstart/groovy-all-1.5.5.jar" main="false" download="eager"/>
    <jar href="webstart/itext-2.1.0.jar" main="false" download="eager"/>
    <jar href="webstart/jasperreports-3.7.1.1.jar" main="false" download="eager"/>
    <jar href="webstart/jaxb-api.jar" main="false" download="eager"/>
    <jar href="webstart/jaxb-impl.jar" main="false" download="eager"/>
    <jar href="webstart/jaxb1-impl.jar" main="false" download="eager"/>
    <jar href="webstart/jaxws-api-2.0.jar" main="false" download="eager"/>
    <jar href="webstart/jce.jar" main="false" download="eager"/>
    <jar href="webstart/jcommon-1.0.0.jar" main="false" download="eager"/>
    <jar href="webstart/jdom-1.0.jar" main="false" download="eager"/>
    <jar href="webstart/jdtcore-3.1.0.jar" main="false" download="eager"/>
    <jar href="webstart/jfreechart-1.0.12.jar" main="false" download="eager"/>
    <jar href="webstart/jgl.jar" main="false" download="eager"/>
    <jar href="webstart/jhall.jar" main="false" download="eager"/>
    <jar href="webstart/jnlp.jar" main="false" download="eager"/>
    <jar href="webstart/jsse.jar" main="false" download="eager"/>
    <jar href="webstart/license4j-1.3.jar" main="false" download="eager"/>
    <jar href="webstart/log4j-1.2.14.jar" main="false" download="eager"/>
    <jar href="webstart/looks-2.1.3.jar" main="false" download="eager"/>
    <jar href="webstart/mail-1.4.jar" main="false" download="eager"/>
    <jar href="webstart/tnim-core.jar" main="false" download="eager"/>
    <jar href="webstart/tnim-assistant-api.jar" main="false" download="eager"/>
    <jar href="webstart/tnim-assistant-client.jar" main="true" download="eager"/>
    <jar href="webstart/opensaml-1.0.1.jar" main="false" download="eager"/>
    <jar href="webstart/pd4ml.jar" main="false" download="eager"/>
    <jar href="webstart/poi-3.2-FINAL-20081019.jar" main="false" download="eager"/>
    <jar href="webstart/saaj-api-1.3.jar" main="false" download="eager"/>
    <jar href="webstart/saaj-impl-1.3.jar" main="false" download="eager"/>
    <jar href="webstart/servlet-api-2.4.jar" main="false" download="eager"/>
    <jar href="webstart/soap.jar" main="false" download="eager"/>
    <jar href="webstart/ss_css2.jar" main="false" download="eager"/>
    <jar href="webstart/stax-api-1.0.1.jar" main="false" download="eager"/>
    <jar href="webstart/stax2-api-3.0.1.jar" main="false" download="eager"/>
    <jar href="webstart/stax-ex.jar" main="false" download="eager"/>
    <jar href="webstart/swing-layout.jar" main="false" download="eager"/>
    <jar href="webstart/tablelayout.jar" main="false" download="eager"/>
    <jar href="webstart/TimingFramework-1.0.jar" main="false" download="eager"/>
    <jar href="webstart/tinylaf.jar" main="false" download="eager"/>
    <jar href="webstart/wsdl4j-1.6.1.jar" main="false" download="eager"/>
    <jar href="webstart/wss4j-1.5.1.jar" main="false" download="eager"/>
    <jar href="webstart/woodstox-core-asl-4.0.3.jar" main="false" download="eager"/>
    <jar href="webstart/xercesImpl-2.6.2.jar" main="false" download="eager"/>
    <jar href="webstart/xfire-all-1.2.6-tnim-1.0.jar" main="false" download="eager"/>
    <jar href="webstart/xml-apis-1.0.b2.jar" main="false" download="eager"/>
    <jar href="webstart/xmlsec-1.3.0.jar" main="false" download="eager"/>
    <jar href="webstart/xpp3-1.1.3.4d_b4_min.jar" main="false" download="eager"/>
    <jar href="webstart/xstream-1.2.jar" main="false" download="eager"/>
    <jar href="webstart/org.eclipse.osgi_3.6.1.R36x_v20100806.jar" main="false" download="eager"/>
    <jar href="webstart/swingx-1.6.1-tnim.jar" main="false" download="eager"/>
    </resources>
    <application-desc main-class="tnim.application.TnimAssistantStart"/>
    </jnlp>

    [...]

    preloader: Delivering: DownloadEvent[type=verify,loaded=1, total=1, percent=97]
    network: ResponseCode for https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar : 304
    network: Encoding for https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar : null
    network: Disconnect connection to https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar
    network: Download Progress: jarsDone: 68
    preloader: Delivering: DownloadEvent[type=verify,loaded=1, total=1, percent=100]
    network: Downloaded https://tnimern.xxx.com/tnimern/pics/address_book3.png
    preloader: Delivering: DownloadEvent[type=verify,loaded=1, total=1, percent=100]
    preloader: Enter wait for preloader jars to be loaded
    preloader: Done with loading of preloader jars. Error=null
    network: Created version ID: 2.2+
    network: Created version ID: 2.2.0
    network: Created version ID: 1.0+
    network: Created version ID: 7.0
    basic: _jreInstalled:    false
    basic: DefaultMatchJRE:
    JREDesc: JREDesc[version 1.6+, heap=-1-536870912, args=null, href=null, sel=true, null, null]
    JREInfo: JREInfo for index 0:
    platform is: 1.7
    product is: 1.7.0_07
    location is: http://java.sun.com/products/autodl/j2se
    path is: C:\Program Files\Java\jre7\bin\javaw.exe
    args is: null
    native platform is: Windows, amd64 [ x86_64, 64bit ]
    JavaFX runtime is: JavaFX 2.2.0 found at C:\Program Files\Java\jre7\
    enabled is: true
    registered is: true
    system is: true

    Init Heap: -1
    Max Heap: 536870912
    Satisfying: false, false
    SatisfyingVersion: true
    SatisfyingJVMArgs: false, false
    SatisfyingSecure: false
    Selected JVMParam: [JVMParameters: isSecure: false, args: -Xmx512m -Dtnim.ReportViewer=http://localhost:4712 -Dtnim.WebserviceURL=https://tnimern.xxx.com/tnimern/rpcrouter -DPDFServletURL=https://tnimern.xxx.com/tnimern/report? -Dtnim.defaultCustomer=tnimern -Dtnim.WebserviceGzipEnabled=true -Dtnim.url.show-on-login=http://www.yyy.tld/tnimern/login.html -Dtnim.url.show-on-dashboard=http://www.yyy.tld/tnimern/show-on-dashboard.html -Dtnim.url.customer-logo=http://www.yyy.tld/tnimern/logo_mwa_tnimern.png]
    Running JVMParam: [JVMParameters: isSecure: true, args: ]
    cache: MemoryCache: removed entry https://tnimern.xxx.com/tnimern/webstart/license4j-1.3.jar
    cache: MemoryCache: removed entry https://tnimern.xxx.com/tnimern/webstart/xml-apis-1.0.b2.jar
    cache: MemoryCache: removed entry https://tnimern.xxx.com/tnimern/webstart/commons-beanutils-1.7.0.jar

    [...]

    cache: MemoryCache: removed entry https://tnimern.xxx.com/tnimern/webstart/itext-2.1.0.jar
    cache: MemoryCache: removed entry https://tnimern.xxx.com/tnimern/webstart/commons-collections-3.2.jar
    cache: MemoryCache: removed entry https://tnimern.xxx.com/tnimern/webstart/soap.jar
    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/Assistant.jnlp, version: null] prevalidated=false/0
    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/xfire-jsr181-api-1.0-M1.jar, version: null] prevalidated=true/0

    [...]

    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/jasperreports-3.7.1.1.jar, version: null] prevalidated=true/0
    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/jaxb-api.jar, version: null] prevalidated=true/0
    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/jaxb-impl.jar, version: null] prevalidated=false/0
    cache: Reading Signers from 4485 https://tnimern.xxx.com/tnimern/webstart/xfire-jsr181-api-1.0-M1.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\37d27898-4156fb56.idx
    cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/xfire-jsr181-api-1.0-M1.jar)
    cache: Reading Signers from 4485 https://tnimern.xxx.com/tnimern/webstart/activation-1.1.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\7247df97-55a579f6.idx
    cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/activation-1.1.jar)
    cache: Reading Signers from 4485 https://tnimern.xxx.com/tnimern/webstart/AnimatedTransitions-0.11.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\225652bc-316a85b9.idx

    [...]

    cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/looks-2.1.3.jar)
    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/mail-1.4.jar, version: null] prevalidated=true/0
    cache: Reading Signers from 4485 https://tnimern.xxx.com/tnimern/webstart/mail-1.4.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\371a8970-2ff3b951.idx
    cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/mail-1.4.jar)
    network: CleanupThread used 2 us
    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/tnim-core.jar, version: null] prevalidated=false/0
    security: Validating cached jar url=https://tnimern.xxx.com/tnimern/webstart/tnim-core.jar ffile=C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\74876302-6cd7f911 com.sun.deploy.cache.CachedJarFile@43c0f4d5
    cache: Reading Signers from 6067 https://tnimern.xxx.com/tnimern/webstart/tnim-core.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\74876302-6cd7f911.idx
    cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/tnim-core.jar)
    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-api.jar, version: null] prevalidated=false/0
    security: Validating cached jar url=https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-api.jar ffile=C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\130c5d4f-7a32f530 com.sun.deploy.cache.CachedJarFile@7a6aed3f
    cache: Reading Signers from 6067 https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-api.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\130c5d4f-7a32f530.idx
    cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-api.jar)
    network: CleanupThread used 1 us
    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-client.jar, version: null] prevalidated=false/0
    security: Validating cached jar url=https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-client.jar ffile=C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\36bafcfc-3f08a0df com.sun.deploy.cache.CachedJarFile@4b2ddf1a
    cache: Reading Signers from 6067 https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-client.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\36bafcfc-3f08a0df.idx
    cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-client.jar)
    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/opensaml-1.0.1.jar, version: null] prevalidated=true/0
    cache: Reading Signers from 4485 https://tnimern.xxx.com/tnimern/webstart/opensaml-1.0.1.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\4c3578a4-238d860a.idx
    cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/opensaml-1.0.1.jar)

    [...]

    cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/xstream-1.2.jar)
    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/org.eclipse.osgi_3.6.1.R36x_v20100806.jar, version: null] prevalidated=true/0
    cache: Reading Signers from 4485 https://tnimern.xxx.com/tnimern/webstart/org.eclipse.osgi_3.6.1.R36x_v20100806.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\94e78af-370a8676.idx
    cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/org.eclipse.osgi_3.6.1.R36x_v20100806.jar)
    network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar, version: null] prevalidated=false/0
    security: Validating cached jar url=https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar ffile=C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\7277f3ad-76307a18 com.sun.deploy.cache.CachedJarFile@7d98a1be
    cache: Reading Signers from 64771 https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\7277f3ad-76307a18.idx
    cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar)
    security: Istrusted: https://tnimern.xxx.com/tnimern/Assistant.jnlp false
    security: Loading Deployment certificates from C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    security: Loaded Deployment certificates from C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    security: Loading certificates from Deployment session certificate store
    security: Loaded certificates from Deployment session certificate store
    security: Loading certificates from Internet Explorer TrustedPublisher certificate store
    security: Loaded certificates from Internet Explorer TrustedPublisher certificate store
    security: Validate the certificate chain using CertPath API
    security: Loading certificates from Internet Explorer ROOT certificate store
    security: Loaded certificates from Internet Explorer ROOT certificate store
    security: The certificate hasnt been expired, no need to check timestamping info
    security: Found jurisdiction list file
    security: Start checking trusted extension for this certificate
    security: Start comparing to jurisdiction list with this certificate
    security: The CRL support is disabled
    security: The OCSP support is disabled
    security: This OCSP End Entity validation is disabled
    security: Checking if certificate is in Deployment denied certificate store
    security: Checking if certificate is in Deployment permanent certificate store
    security: Checking if certificate is in Deployment session certificate store
    security: Checking if certificate is in Internet Explorer TrustedPublisher certificate store
    preloader: Stop progressCheck thread
  • 5. Re: Webstart security warning for "expired certificate" which is not expired
    817614 Explorer
    Currently Being Moderated
    The tracing does not show any thing saying that the certificate expired. Maybe it you could post the image of the dialog or full text of the warning message (English if possible) it would be easier to track.

    Edited by: ntn on Oct 19, 2012 6:46 PM
  • 6. Re: Webstart security warning for "expired certificate" which is not expired
    914420 Newbie
    Currently Being Moderated
    Hi ntn,
    ntn wrote:
    The tracing does not show any thing saying that the certificate expired. Maybe it you could post the image of the dialog or full text of the warning message (English if possible) it would be easier to track.

    Edited by: ntn on Oct 19, 2012 6:46 PM
    I know... the trace complains only about one thing, and that is an unsigned JNLP. Which is optional and probably unrelated to this problem. I included the english version of the warning in my last post. It is "The application's digital signature has expired." I believe this is to be treated differently from an expired certificate. The certificate is NOT expired. As can be seen in screenshots posted earlier in this thread, the certificate is valid two more years. It had been renewed just one or two weeks ago. And this problem is probably not related to the renewal because the code was signed after, plus we have had reports of the same problem for the old certificate.

    Meanwhile we even tried to analyze this by decompiling WebStart. There are tons of similar errors and warnings (including a very similar but different constant, something like "The digital signature has expired."). Anyway, since we do not have any debug info it will be a major effort to work this out based on decompiled code...

    Thanks for taking the time.
  • 7. Re: Webstart security warning for "expired certificate" which is not expired
    973051 Newbie
    Currently Being Moderated
    We have the same issue with a user who downloaded jre7 for the 1st time today, (with a webstart app that has been running for a couple of years 'ok'). Not sure if that is a red herring or not, but other users who have earlier versions of 7 installed are able to launch with no issues.
  • 8. Re: Webstart security warning for "expired certificate" which is not expired
    914420 Newbie
    Currently Being Moderated
    970048 wrote:
    We have the same issue with a user who downloaded jre7 for the 1st time today, (with a webstart app that has been running for a couple of years 'ok'). Not sure if that is a red herring or not, but other users who have earlier versions of 7 installed are able to launch with no issues.
    Well that seems to indicate a problem with JRE7. We were also suspecting some regression in that WebStart version. Difficult to pinpoint though.
  • 9. Re: Webstart security warning for "expired certificate" which is not expired
    226794 Newbie
    Currently Being Moderated
    I'm having the same problem.
    Jars signed and timestamped with Java 1.6.0_02

    Web Start runs fine if the user is running a Java 6 JRE, but failing with JRE build 1.7.0_05-b06

    I've spent a couple of weeks on this issue even calling Thawte support, but it seems to be a Java 7 problem.

    Is there an open bug for this, and when might we see a fix?
  • 10. Re: Webstart security warning for "expired certificate" which is not expired
    914420 Newbie
    Currently Being Moderated
    flournoy, you are lucky - today we solved the problem. At least for our case. The webstart warning, "application's digital signature has expired", is very misleading. The problem went away when we prefixed our own system properties in the jnlp with "jnlp."

    Generally speaking, all properties need to be secure. In the console log you don't want to see this: "JVMParameters: isSecure: false". This became a "true" when we prefixed all properties with "jnlp." All other leads we were following did not help a bit, e.g. signing the jnlp (including it in a signed jar file), using extension jnlps, using or not using a timeserver when signing etc. Good luck...
  • 11. Re: Webstart security warning for "expired certificate" which is not expired
    226794 Newbie
    Currently Being Moderated
    Hmm... I'll give that a try. Many thanks for the tip.
    -j
  • 12. Re: Webstart security warning for "expired certificate" which is not expired
    226794 Newbie
    Currently Being Moderated
    That was apparently not my problem, when I launch my sample web start app I see JVMParameters: isSecure: true

    Match: ignoring maxHeap: -1
         Match: ignoring InitHeap: -1
         Match: digesting vmargs: null
         Match: digested vmargs: [JVMParameters: isSecure: true, args: ]
         Match: JVM args after accumulation: [JVMParameters: isSecure: true, args: ]
         Match: digest LaunchDesc: http://rhymingplace.com/work/sample.jnlp
         Match: digest properties: []
         Match: JVM args: [JVMParameters: isSecure: true, args: ]
         Match: endTraversal ..
         Match: JVM args final:
         Match: Running JREInfo Version match: 1.7.0.09 == 1.7.0.09
         Match: Running JVM args match: have:<> satisfy want:<>

    So, my timestamped, signed, web start application will run fine when the signing certificate expires, as long as the user isn't using Java 7. I think I can specify that JNLP requires a Java6 runtime - so that may be the solution for me until Java 7 will work with the timestamping authority.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points