From Oct 30, 2017 customers start getting certificate expire exception in their java applications (JavaWebstart, Applets, DRS)
Last updated on DECEMBER 12, 2017
Applies to:Java SE JDK and JRE - Version 6 to 8
Information in this document applies to any platform.
Starting from Oct 30, 2017 number of customers start getting certificate expire exception in their java applications (JavaWebstart, applets, DRS)
Messages: <Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running>.
The expected behavior is they should Not get this certificate expire exception, if jars were signed and stamped with valid certificate.
On October 30, 2017, the certificate for the GeoTrust TSA (Time Stamp Authority) was expired.
The GeoTrust TSA uses SHA-1 and has been decommissioned by Symantec, see this article for more information: https://knowledge.symantec.com/support/partner/index?page=content&id=NEWS10071&viewlocale=en_US
If your application is using a signed JAR that is also time stamped with the GeoTrust TSA, then you may get errors when running the applet or application with Java WebStart, Plugin, DRS.
How to identify the problem:
To check if your JAR is times tamped with the GeoTrust TSA, you can use the jarsigner utility (although you must use JDK 9, 8u121, 7u131, 6u141 or later).
Run "jarsigner -verify -verbose <jarfile>" and look for the GeoTrust TSA in the output.
You can also use the keytool utility (JDK 7 and later) to see if the JAR is time stamped and get more details on the certificate chain.
Run "keytool -printcert -jarfile <jarfile>" and look for the GeoTrust TSA in the output.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms