How to make a machine trust a self-signed Java application

java security certificate java-web-start self-signed

211,378

Solution 1

Just Go To *Startmenu >>Java >>Configure Java >> Security >> Edit site list >> copy and paste your Link with problem >> OK Problem fixed :)*

Solution 2

SERIOUS DISCLAIMER

This solution has a serious security flaw. Please use at your own risk.
Have a look at the comments on this post, and look at all the answers to this question.

OK, I had to go to the customer premises and found a solution. I:

Exported the keystore that holds the signing keys in PKCS #12 format
Opened control panel Java -> Security tab
Clicked Manage certificates
Imported this new keystore as a secure site CA

Then I opened the JAWS application without any warning. This is a little bit cumbersome, but much cheaper than buying a signed certificate!

Solution 3

I was having the same issue. So I went to the Java options through Control Panel. Copied the web address that I was having an issue with to the exceptions and it was fixed.

Solution 4

I had the same problem, but i solved it from Java Control Panel-->Security-->SecurityLevel:MEDIUM. Just so, no Manage certificates, imports ,exports etc..

View more solutions

211,378

Author by

Benoit Duffez

Updated on January 28, 2020

Comments

Benoit Duffez over 4 years
I'm deploying an application using JAWS, and it worked until late 2013 when I got a warning, and then this morning Java completely blocked it. The message in French is:

Application bloquée par les paramètres de sécurité
Vos paramètres de sécurité ont bloqué l'exécution d'une application auto-signée avec une version obsolete ou arrivée à expiration de Java.

which would translate roughly as:

Application blocked by the security settings
Your security settings have blocked from running an application that has been self-signed with an obsolete or outdated Java.

The grammar is not that clear, the end of the sentence could be read as either:
- ...blocked a self-signed application from running with an obsolete or outdated Java [runtime], meaning that the local runtime is too old, but the self-signature is fine
- ...blocked an application that has been self-signed with an obsolete or outdated Java [compiler], meaning that the Java compiler used is too old
I searched online for the exact same message in English, but I couldn't find it. So the grammar is still unclear. Note that on the message there is no Name: xyz / From: http://url/, there's only the text I typed above, and a blue "i" icon.

Now, I don't really understand the exact meaning of this error message, but I know that there is an issue because my JAR files are all self-signed. I have already faced this on other Windows clients, and it was easy:
- I extracted a .cer certificate from my keystore;
- Downloaded it on the client machine, open it;
- Made the customers install it as a trusted source on their local machine.
It worked like a charm on my test setup and for one customer, but another one still has the issue and cannot run my software.

This is a big issue from me, and I don't know what to do. Should I upgrade my Java compiler, recompile everything, sign every JAR file again and cross fingers? How can I make that Windows box trust my certificate and let the Java application run?
psycho over 10 years

I just had same problem, except that I'm a simple user in this case - not developping nor deploying the app - so I can't access the signing keys and @Mehdi's solution perfectly worked.
psycho over 10 years

... which happens to be the exact same solution than @troscher's. Don't know why I didn't see it first.
Todd Lyons about 10 years

Non-standard ports must also be included. As an example, an internal Proxmox server will use a URL that starts with https://hostname.example.com:8006/foo. The self-signed certificate check fails if you only allow https://hostname.example.com. You must include the full https://hostname.example.com:8006 for it to work properly.
Justin Skiles about 10 years

Only acceptable on certain versions of Java. I know for a fact that Java 1.7_45 does not have a whitelist option.
steveayre about 10 years

Adding a certificate as a CA isn't exactly secure... they could then use that certificate to sign certificates for any domain.
Andrew Steitz almost 10 years

+1 for steveayre's comment. This is not really a very good idea and, as psycho pointed out, not at all practical in most situations. You should SERIOUSLY consider un-accepting your answer and accepting Mehdi's answer instead. Then remove your answer or just edit it and say that people should follow Mehdi's advice.
Benoit Duffez almost 10 years

Thanks for the note Andrew. I have edited my answer, I think it's now clear enough.
Andrew Steitz almost 10 years

DANGER: This works but exposes your computer to many potential security risks. If you trust the source it is much less risky to add that site to the Exception Site List. See answers from Mehdi or troscher.
cabaji99 almost 9 years

had the same problem but in linux mint, so i had to go to java 8 plugin control panel and edit the list, then restart firefox to changes to be applied.
lbarbosa over 8 years

If launching via Java Web Start (JNLP file), open the file with a text editor, locate the <jnlp> tag and use the URL in the "codebase" attribute to add to the whitelist. It should launch after that.
rogerdpack almost 8 years

Worked for me with java version 1.8.0_74 (make sure to include port in the url if it isn't the standard port 80, or else it assumes port 80 only).
Kevin over 7 years

XFCE menu item was "Oracle Java 7 Plugin Control Panel" as I had installed "oracle-java7-installer"
user85421 about 7 years

a bit late but I must say that I prefer this solution: I trust my key or code signed with it more than i trust a remote site!