12 Replies Latest reply: Dec 6, 2012 1:15 PM by 226794 RSS

    Webstart security warning for "expired certificate" which is not expired

    914420
      Occasionally we are seeing a security warning when starting a WebStart application on Java 7. The warning is about an expired certificate ("digital signature has expired").
      (german) http://img194.imagevenue.com/img.php?image=47970_screenshot_3_122_249lo.jpg

      When looking at details offered by the dialog, the certificate period is not expired, actually. At the time of this writing, the certificate was recently renewed and starts about a week in the past, and ends in two years.
      (german) http://img212.imagevenue.com/img.php?image=47056_screenshot_1_122_668lo.jpg

      First I thought that this might be caused by not signing the JNLP itself because the the security details warn about an unsigned JNLP:
      (german) http://img156.imagevenue.com/img.php?image=47057_screenshot_2_122_409lo.jpg

      Furthermore, this post seems to indicate that JNLP signing might be mandatory:
      How to sign a auto generated JNLP file....

      The JNLP spec describes this as optional. What else could be the problem here?

      Edited by: wl on Oct 11, 2012 12:06 PM
        • 1. Re: Webstart security warning for "expired certificate" which is not expired
          817614
          You can turn on tracing to get more debug info. See: http://docs.oracle.com/javase/7/docs/webnotes/tsg/TSG-Desktop/html/plugin.html#gcexdf
          • 2. Re: Webstart security warning for "expired certificate" which is not expired
            914420
            Thanks. After removing the certificate from the list of trusted certificates I am getting the same security box again, this time with trace enabled. Unfortunately it is not very helpful. Meanwhile I discovered that the jars were signed without using a timestamp server (a regression in the build script a while ago). Hopefully using a timestamp server resolves it...

            Edited by: wl on Oct 15, 2012 2:17 PM
            • 3. Re: Webstart security warning for "expired certificate" which is not expired
              914420
              wl wrote:
              Thanks. After removing the certificate from the list of trusted certificates I am getting the same security box again, this time with trace enabled. Unfortunately it is not very helpful. Meanwhile I discovered that the jars were signed without using a timestamp server (a regression in the build script a while ago). Hopefully using a timestamp server resolves it...
              No luck, again. Using tasurl "https://timestamp.geotrust.com/tsa" for signing did not make a difference. There is still a security box claiming an expired signature. I verified that the timestamp server was actually used by looking into META-INF/MINT_SIG.RSA - the file contains the string "geotrust". Also, I did a "jarsigner -verifiy -verbose" on each jar file in the jnlp. Every file is marked "sm" (signature was verified, entry is listed in manifest).

              I am out of ideas. Any advice? Thanks in advance.
              • 4. Re: Webstart security warning for "expired certificate" which is not expired
                914420
                ntn wrote:
                You can turn on tracing to get more debug info. See: http://docs.oracle.com/javase/7/docs/webnotes/tsg/TSG-Desktop/html/plugin.html#gcexdf
                Meanwhile I've got the correct trace (ignore my trace from last week). I cannot post it here because it exceeds 30k. See below for a shortened version. After this the security dialog appears with this hint: The application's digitial signature has expired.

                Java Web Start 10.7.2.10
                Using JRE version 1.7.0_07-b10 Java HotSpot(TM) 64-Bit Server VM
                ----------------------------------------------------
                c: clear console window
                f: finalize objects on finalization queue
                g: garbage collect
                h: display this help message
                m: print memory usage
                o: trigger logging
                p: reload proxy configuration
                q: hide console
                r: reload policy configuration
                s: dump system and deployment properties
                t: dump thread list
                v: dump thread stack
                0-5: set trace level to <n>
                ----------------------------------------------------
                basic: Java part started
                basic: jnlpx.jvm: C:\Program Files\Java\jre7\bin\javaw.exe
                basic: jnlpx.splashport: 59764
                basic: jnlpx.remove: false
                basic: jnlpx.heapsize: null
                network: Loading user-defined proxy configuration ...
                network: Done.
                network: Browser is FirefoxURL
                network: Browser is Firefox
                network: Loading proxy configuration from Netscape Navigator ...
                network: Proxy enable: 0
                network: Done.
                network: Loading direct proxy configuration ...
                network: Done.
                network: Proxy Configuration: No proxy
                security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
                security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
                security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
                security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
                security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
                security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
                security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
                security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
                security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
                security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
                security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
                security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
                security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
                security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
                security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
                security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
                basic: Running JVMParams: [JVMParameters: isSecure: true, args: ]
                     -> [JVMParameters: isSecure: true, args: ]
                network: Created version ID: 1.7.0.07
                network: Created version ID: 1.7
                network: Created version ID: 2.2.0
                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/Assistant.jnlp, version: null] prevalidated=false/0
                cache: Resource https://tnimern.xxx.com/tnimern/Assistant.jnlp has expired.
                cache: Resource https://tnimern.xxx.com/tnimern/Assistant.jnlp has cache control: no-cache.
                network: Connecting https://tnimern.xxx.com/tnimern/Assistant.jnlp with proxy=DIRECT
                network: Connecting socket://tnimern.xxx.com:443 with proxy=DIRECT
                security: Loading Root CA certificates from C:\Program Files\Java\jre7\lib\security\cacerts
                security: Loaded Root CA certificates from C:\Program Files\Java\jre7\lib\security\cacerts
                security: Loading SSL Root CA certificates from C:\Program Files\Java\jre7\lib\security\cacerts
                security: Loaded SSL Root CA certificates from C:\Program Files\Java\jre7\lib\security\cacerts
                security: Loading certificates from Deployment session certificate store
                security: Loaded certificates from Deployment session certificate store
                security: Loading certificates from Internet Explorer ROOT certificate store
                security: Loaded certificates from Internet Explorer ROOT certificate store
                security: Checking if certificate is in Deployment denied certificate store
                network: ResponseCode for https://tnimern.xxx.com/tnimern/Assistant.jnlp : 304
                network: Encoding for https://tnimern.xxx.com/tnimern/Assistant.jnlp : null
                network: Disconnect connection to https://tnimern.xxx.com/tnimern/Assistant.jnlp
                temp: new XMLParser with source:
                temp: <?xml version="1.0" encoding="ISO-8859-1"?>
                <jnlp xmlns:jfx="http://javafx.com" spec="1.0+" href="Assistant.jnlp" codebase="https://tnimern.xxx.com/tnimern/">
                <information>
                <title>TNIM Assistant</title>
                <vendor>VENDOR</vendor>
                <homepage href="index.html"/>
                <description>TNIM Assistant</description>
                <offline-allowed/>
                <icon href="pics/logo_people.jpg" kind="splash"/>
                <icon href="pics/address_book3.png"/>
                </information>
                <security>
                <all-permissions/>
                </security>
                <resources>
                <j2se version="1.6+" max-heap-size="512m" language="" country=""/>
                <jfx:javafx-runtime version="2.2+" href="http://javadl.sun.com/webapps/download/GetFile/javafx-latest/windows-i586/javafx2.jnlp"/>
                <property name="tnim.ReportViewer" value="http://localhost:4712"/>
                <property name="tnim.WebserviceURL" value="https://tnimern.xxx.com/tnimern/rpcrouter"/>
                <property name="PDFServletURL" value="https://tnimern.xxx.com/tnimern/report?"/>
                <property name="tnim.defaultCustomer" value="tnimern"/>
                <property name="tnim.WebserviceGzipEnabled" value="true"/>
                <property name="tnim.url.show-on-login" value="http://www.yyy.tld/tnimern/login.html"/>
                <property name="tnim.url.show-on-dashboard" value="http://www.yyy.tld/tnimern/show-on-dashboard.html"/>
                <property name="tnim.url.customer-logo" value="http://www.yyy.tld/tnimern/logo_mwa_tnimern.png"/>
                <jar href="webstart/xfire-jsr181-api-1.0-M1.jar" main="false" download="eager"/>
                <jar href="webstart/activation-1.1.jar" main="false" download="eager"/>
                <jar href="webstart/AnimatedTransitions-0.11.jar" main="false" download="eager"/>
                <jar href="webstart/balloontip-1.0.jar" main="false" download="eager"/>
                <jar href="webstart/bcprov-jdk15-133.jar" main="false" download="eager"/>
                <jar href="webstart/commons-beanutils-1.7.0.jar" main="false" download="eager"/>
                <jar href="webstart/commons-codec-1.3.jar" main="false" download="eager"/>
                <jar href="webstart/commons-collections-3.2.jar" main="false" download="eager"/>
                <jar href="webstart/commons-digester-1.7.jar" main="false" download="eager"/>
                <jar href="webstart/commons-httpclient-3.0.jar" main="false" download="eager"/>
                <jar href="webstart/commons-io-1.3.1.jar" main="false" download="eager"/>
                <jar href="webstart/commons-lang-2.3.jar" main="false" download="eager"/>
                <jar href="webstart/commons-logging-1.0.4.jar" main="false" download="eager"/>
                <jar href="webstart/commons-net-3.0.1.jar" main="false" download="eager"/>
                <jar href="webstart/dockingFramesCore.jar" main="false" download="eager"/>
                <jar href="webstart/dockingFramesCommon.jar" main="false" download="eager"/>
                <jar href="webstart/flexgantt-1.1.7.jar" main="false" download="eager"/>
                <jar href="webstart/forms-1.0.7.jar" main="false" download="eager"/>
                <jar href="webstart/foxtrot-core-3.0.jar" main="false" download="eager"/>
                <jar href="webstart/groovy-all-1.5.5.jar" main="false" download="eager"/>
                <jar href="webstart/itext-2.1.0.jar" main="false" download="eager"/>
                <jar href="webstart/jasperreports-3.7.1.1.jar" main="false" download="eager"/>
                <jar href="webstart/jaxb-api.jar" main="false" download="eager"/>
                <jar href="webstart/jaxb-impl.jar" main="false" download="eager"/>
                <jar href="webstart/jaxb1-impl.jar" main="false" download="eager"/>
                <jar href="webstart/jaxws-api-2.0.jar" main="false" download="eager"/>
                <jar href="webstart/jce.jar" main="false" download="eager"/>
                <jar href="webstart/jcommon-1.0.0.jar" main="false" download="eager"/>
                <jar href="webstart/jdom-1.0.jar" main="false" download="eager"/>
                <jar href="webstart/jdtcore-3.1.0.jar" main="false" download="eager"/>
                <jar href="webstart/jfreechart-1.0.12.jar" main="false" download="eager"/>
                <jar href="webstart/jgl.jar" main="false" download="eager"/>
                <jar href="webstart/jhall.jar" main="false" download="eager"/>
                <jar href="webstart/jnlp.jar" main="false" download="eager"/>
                <jar href="webstart/jsse.jar" main="false" download="eager"/>
                <jar href="webstart/license4j-1.3.jar" main="false" download="eager"/>
                <jar href="webstart/log4j-1.2.14.jar" main="false" download="eager"/>
                <jar href="webstart/looks-2.1.3.jar" main="false" download="eager"/>
                <jar href="webstart/mail-1.4.jar" main="false" download="eager"/>
                <jar href="webstart/tnim-core.jar" main="false" download="eager"/>
                <jar href="webstart/tnim-assistant-api.jar" main="false" download="eager"/>
                <jar href="webstart/tnim-assistant-client.jar" main="true" download="eager"/>
                <jar href="webstart/opensaml-1.0.1.jar" main="false" download="eager"/>
                <jar href="webstart/pd4ml.jar" main="false" download="eager"/>
                <jar href="webstart/poi-3.2-FINAL-20081019.jar" main="false" download="eager"/>
                <jar href="webstart/saaj-api-1.3.jar" main="false" download="eager"/>
                <jar href="webstart/saaj-impl-1.3.jar" main="false" download="eager"/>
                <jar href="webstart/servlet-api-2.4.jar" main="false" download="eager"/>
                <jar href="webstart/soap.jar" main="false" download="eager"/>
                <jar href="webstart/ss_css2.jar" main="false" download="eager"/>
                <jar href="webstart/stax-api-1.0.1.jar" main="false" download="eager"/>
                <jar href="webstart/stax2-api-3.0.1.jar" main="false" download="eager"/>
                <jar href="webstart/stax-ex.jar" main="false" download="eager"/>
                <jar href="webstart/swing-layout.jar" main="false" download="eager"/>
                <jar href="webstart/tablelayout.jar" main="false" download="eager"/>
                <jar href="webstart/TimingFramework-1.0.jar" main="false" download="eager"/>
                <jar href="webstart/tinylaf.jar" main="false" download="eager"/>
                <jar href="webstart/wsdl4j-1.6.1.jar" main="false" download="eager"/>
                <jar href="webstart/wss4j-1.5.1.jar" main="false" download="eager"/>
                <jar href="webstart/woodstox-core-asl-4.0.3.jar" main="false" download="eager"/>
                <jar href="webstart/xercesImpl-2.6.2.jar" main="false" download="eager"/>
                <jar href="webstart/xfire-all-1.2.6-tnim-1.0.jar" main="false" download="eager"/>
                <jar href="webstart/xml-apis-1.0.b2.jar" main="false" download="eager"/>
                <jar href="webstart/xmlsec-1.3.0.jar" main="false" download="eager"/>
                <jar href="webstart/xpp3-1.1.3.4d_b4_min.jar" main="false" download="eager"/>
                <jar href="webstart/xstream-1.2.jar" main="false" download="eager"/>
                <jar href="webstart/org.eclipse.osgi_3.6.1.R36x_v20100806.jar" main="false" download="eager"/>
                <jar href="webstart/swingx-1.6.1-tnim.jar" main="false" download="eager"/>
                </resources>
                <application-desc main-class="tnim.application.TnimAssistantStart"/>
                </jnlp>

                [...]

                preloader: Delivering: DownloadEvent[type=verify,loaded=1, total=1, percent=97]
                network: ResponseCode for https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar : 304
                network: Encoding for https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar : null
                network: Disconnect connection to https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar
                network: Download Progress: jarsDone: 68
                preloader: Delivering: DownloadEvent[type=verify,loaded=1, total=1, percent=100]
                network: Downloaded https://tnimern.xxx.com/tnimern/pics/address_book3.png
                preloader: Delivering: DownloadEvent[type=verify,loaded=1, total=1, percent=100]
                preloader: Enter wait for preloader jars to be loaded
                preloader: Done with loading of preloader jars. Error=null
                network: Created version ID: 2.2+
                network: Created version ID: 2.2.0
                network: Created version ID: 1.0+
                network: Created version ID: 7.0
                basic: _jreInstalled:    false
                basic: DefaultMatchJRE:
                JREDesc: JREDesc[version 1.6+, heap=-1-536870912, args=null, href=null, sel=true, null, null]
                JREInfo: JREInfo for index 0:
                platform is: 1.7
                product is: 1.7.0_07
                location is: http://java.sun.com/products/autodl/j2se
                path is: C:\Program Files\Java\jre7\bin\javaw.exe
                args is: null
                native platform is: Windows, amd64 [ x86_64, 64bit ]
                JavaFX runtime is: JavaFX 2.2.0 found at C:\Program Files\Java\jre7\
                enabled is: true
                registered is: true
                system is: true

                Init Heap: -1
                Max Heap: 536870912
                Satisfying: false, false
                SatisfyingVersion: true
                SatisfyingJVMArgs: false, false
                SatisfyingSecure: false
                Selected JVMParam: [JVMParameters: isSecure: false, args: -Xmx512m -Dtnim.ReportViewer=http://localhost:4712 -Dtnim.WebserviceURL=https://tnimern.xxx.com/tnimern/rpcrouter -DPDFServletURL=https://tnimern.xxx.com/tnimern/report? -Dtnim.defaultCustomer=tnimern -Dtnim.WebserviceGzipEnabled=true -Dtnim.url.show-on-login=http://www.yyy.tld/tnimern/login.html -Dtnim.url.show-on-dashboard=http://www.yyy.tld/tnimern/show-on-dashboard.html -Dtnim.url.customer-logo=http://www.yyy.tld/tnimern/logo_mwa_tnimern.png]
                Running JVMParam: [JVMParameters: isSecure: true, args: ]
                cache: MemoryCache: removed entry https://tnimern.xxx.com/tnimern/webstart/license4j-1.3.jar
                cache: MemoryCache: removed entry https://tnimern.xxx.com/tnimern/webstart/xml-apis-1.0.b2.jar
                cache: MemoryCache: removed entry https://tnimern.xxx.com/tnimern/webstart/commons-beanutils-1.7.0.jar

                [...]

                cache: MemoryCache: removed entry https://tnimern.xxx.com/tnimern/webstart/itext-2.1.0.jar
                cache: MemoryCache: removed entry https://tnimern.xxx.com/tnimern/webstart/commons-collections-3.2.jar
                cache: MemoryCache: removed entry https://tnimern.xxx.com/tnimern/webstart/soap.jar
                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/Assistant.jnlp, version: null] prevalidated=false/0
                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/xfire-jsr181-api-1.0-M1.jar, version: null] prevalidated=true/0

                [...]

                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/jasperreports-3.7.1.1.jar, version: null] prevalidated=true/0
                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/jaxb-api.jar, version: null] prevalidated=true/0
                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/jaxb-impl.jar, version: null] prevalidated=false/0
                cache: Reading Signers from 4485 https://tnimern.xxx.com/tnimern/webstart/xfire-jsr181-api-1.0-M1.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\37d27898-4156fb56.idx
                cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/xfire-jsr181-api-1.0-M1.jar)
                cache: Reading Signers from 4485 https://tnimern.xxx.com/tnimern/webstart/activation-1.1.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\7247df97-55a579f6.idx
                cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/activation-1.1.jar)
                cache: Reading Signers from 4485 https://tnimern.xxx.com/tnimern/webstart/AnimatedTransitions-0.11.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\225652bc-316a85b9.idx

                [...]

                cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/looks-2.1.3.jar)
                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/mail-1.4.jar, version: null] prevalidated=true/0
                cache: Reading Signers from 4485 https://tnimern.xxx.com/tnimern/webstart/mail-1.4.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\371a8970-2ff3b951.idx
                cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/mail-1.4.jar)
                network: CleanupThread used 2 us
                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/tnim-core.jar, version: null] prevalidated=false/0
                security: Validating cached jar url=https://tnimern.xxx.com/tnimern/webstart/tnim-core.jar ffile=C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\74876302-6cd7f911 com.sun.deploy.cache.CachedJarFile@43c0f4d5
                cache: Reading Signers from 6067 https://tnimern.xxx.com/tnimern/webstart/tnim-core.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\74876302-6cd7f911.idx
                cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/tnim-core.jar)
                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-api.jar, version: null] prevalidated=false/0
                security: Validating cached jar url=https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-api.jar ffile=C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\130c5d4f-7a32f530 com.sun.deploy.cache.CachedJarFile@7a6aed3f
                cache: Reading Signers from 6067 https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-api.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\130c5d4f-7a32f530.idx
                cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-api.jar)
                network: CleanupThread used 1 us
                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-client.jar, version: null] prevalidated=false/0
                security: Validating cached jar url=https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-client.jar ffile=C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\36bafcfc-3f08a0df com.sun.deploy.cache.CachedJarFile@4b2ddf1a
                cache: Reading Signers from 6067 https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-client.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\36bafcfc-3f08a0df.idx
                cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/tnim-assistant-client.jar)
                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/opensaml-1.0.1.jar, version: null] prevalidated=true/0
                cache: Reading Signers from 4485 https://tnimern.xxx.com/tnimern/webstart/opensaml-1.0.1.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\4c3578a4-238d860a.idx
                cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/opensaml-1.0.1.jar)

                [...]

                cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/xstream-1.2.jar)
                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/org.eclipse.osgi_3.6.1.R36x_v20100806.jar, version: null] prevalidated=true/0
                cache: Reading Signers from 4485 https://tnimern.xxx.com/tnimern/webstart/org.eclipse.osgi_3.6.1.R36x_v20100806.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\94e78af-370a8676.idx
                cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/org.eclipse.osgi_3.6.1.R36x_v20100806.jar)
                network: Cache entry found [url: https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar, version: null] prevalidated=false/0
                security: Validating cached jar url=https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar ffile=C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\7277f3ad-76307a18 com.sun.deploy.cache.CachedJarFile@7d98a1be
                cache: Reading Signers from 64771 https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar | C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\7277f3ad-76307a18.idx
                cache: Done readSigners(https://tnimern.xxx.com/tnimern/webstart/swingx-1.6.1-tnim.jar)
                security: Istrusted: https://tnimern.xxx.com/tnimern/Assistant.jnlp false
                security: Loading Deployment certificates from C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
                security: Loaded Deployment certificates from C:\Users\user1.DOMAIN\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
                security: Loading certificates from Deployment session certificate store
                security: Loaded certificates from Deployment session certificate store
                security: Loading certificates from Internet Explorer TrustedPublisher certificate store
                security: Loaded certificates from Internet Explorer TrustedPublisher certificate store
                security: Validate the certificate chain using CertPath API
                security: Loading certificates from Internet Explorer ROOT certificate store
                security: Loaded certificates from Internet Explorer ROOT certificate store
                security: The certificate hasnt been expired, no need to check timestamping info
                security: Found jurisdiction list file
                security: Start checking trusted extension for this certificate
                security: Start comparing to jurisdiction list with this certificate
                security: The CRL support is disabled
                security: The OCSP support is disabled
                security: This OCSP End Entity validation is disabled
                security: Checking if certificate is in Deployment denied certificate store
                security: Checking if certificate is in Deployment permanent certificate store
                security: Checking if certificate is in Deployment session certificate store
                security: Checking if certificate is in Internet Explorer TrustedPublisher certificate store
                preloader: Stop progressCheck thread
                • 5. Re: Webstart security warning for "expired certificate" which is not expired
                  817614
                  The tracing does not show any thing saying that the certificate expired. Maybe it you could post the image of the dialog or full text of the warning message (English if possible) it would be easier to track.

                  Edited by: ntn on Oct 19, 2012 6:46 PM
                  • 6. Re: Webstart security warning for "expired certificate" which is not expired
                    914420
                    Hi ntn,
                    ntn wrote:
                    The tracing does not show any thing saying that the certificate expired. Maybe it you could post the image of the dialog or full text of the warning message (English if possible) it would be easier to track.

                    Edited by: ntn on Oct 19, 2012 6:46 PM
                    I know... the trace complains only about one thing, and that is an unsigned JNLP. Which is optional and probably unrelated to this problem. I included the english version of the warning in my last post. It is "The application's digital signature has expired." I believe this is to be treated differently from an expired certificate. The certificate is NOT expired. As can be seen in screenshots posted earlier in this thread, the certificate is valid two more years. It had been renewed just one or two weeks ago. And this problem is probably not related to the renewal because the code was signed after, plus we have had reports of the same problem for the old certificate.

                    Meanwhile we even tried to analyze this by decompiling WebStart. There are tons of similar errors and warnings (including a very similar but different constant, something like "The digital signature has expired."). Anyway, since we do not have any debug info it will be a major effort to work this out based on decompiled code...

                    Thanks for taking the time.
                    • 7. Re: Webstart security warning for "expired certificate" which is not expired
                      973051
                      We have the same issue with a user who downloaded jre7 for the 1st time today, (with a webstart app that has been running for a couple of years 'ok'). Not sure if that is a red herring or not, but other users who have earlier versions of 7 installed are able to launch with no issues.
                      • 8. Re: Webstart security warning for "expired certificate" which is not expired
                        914420
                        970048 wrote:
                        We have the same issue with a user who downloaded jre7 for the 1st time today, (with a webstart app that has been running for a couple of years 'ok'). Not sure if that is a red herring or not, but other users who have earlier versions of 7 installed are able to launch with no issues.
                        Well that seems to indicate a problem with JRE7. We were also suspecting some regression in that WebStart version. Difficult to pinpoint though.
                        • 9. Re: Webstart security warning for "expired certificate" which is not expired
                          226794
                          I'm having the same problem.
                          Jars signed and timestamped with Java 1.6.0_02

                          Web Start runs fine if the user is running a Java 6 JRE, but failing with JRE build 1.7.0_05-b06

                          I've spent a couple of weeks on this issue even calling Thawte support, but it seems to be a Java 7 problem.

                          Is there an open bug for this, and when might we see a fix?
                          • 10. Re: Webstart security warning for "expired certificate" which is not expired
                            914420
                            flournoy, you are lucky - today we solved the problem. At least for our case. The webstart warning, "application's digital signature has expired", is very misleading. The problem went away when we prefixed our own system properties in the jnlp with "jnlp."

                            Generally speaking, all properties need to be secure. In the console log you don't want to see this: "JVMParameters: isSecure: false". This became a "true" when we prefixed all properties with "jnlp." All other leads we were following did not help a bit, e.g. signing the jnlp (including it in a signed jar file), using extension jnlps, using or not using a timeserver when signing etc. Good luck...
                            • 11. Re: Webstart security warning for "expired certificate" which is not expired
                              226794
                              Hmm... I'll give that a try. Many thanks for the tip.
                              -j
                              • 12. Re: Webstart security warning for "expired certificate" which is not expired
                                226794
                                That was apparently not my problem, when I launch my sample web start app I see JVMParameters: isSecure: true

                                Match: ignoring maxHeap: -1
                                     Match: ignoring InitHeap: -1
                                     Match: digesting vmargs: null
                                     Match: digested vmargs: [JVMParameters: isSecure: true, args: ]
                                     Match: JVM args after accumulation: [JVMParameters: isSecure: true, args: ]
                                     Match: digest LaunchDesc: http://rhymingplace.com/work/sample.jnlp
                                     Match: digest properties: []
                                     Match: JVM args: [JVMParameters: isSecure: true, args: ]
                                     Match: endTraversal ..
                                     Match: JVM args final:
                                     Match: Running JREInfo Version match: 1.7.0.09 == 1.7.0.09
                                     Match: Running JVM args match: have:<> satisfy want:<>

                                So, my timestamped, signed, web start application will run fine when the signing certificate expires, as long as the user isn't using Java 7. I think I can specify that JNLP requires a Java6 runtime - so that may be the solution for me until Java 7 will work with the timestamping authority.