From 30 Oct, 2017 Customers See Certificate Expiration Exceptions when Launching Their Java Client Applications (JavaWebstart, Applets) (Doc ID 2327847.1)

Last updated on JANUARY 20, 2023

Applies to:

Symptoms

Starting from 30 Oct, 2017, a number of customers experienced certificate expiration exceptions with their Java client applications (Java WebStart, applets).  An example of the message that might be seen:

The expected behavior is they should not get this certificate expiration exception if jars were signed and stamped with valid certificate. 

Changes

On October 30, 2017, the certificate for the GeoTrust Time Stamp Authority (TSA) expired.  The GeoTrust TSA uses SHA-1 and has been decommissioned by Symantec.  If your application is using a signed JAR that is also time stamped with the GeoTrust TSA, then you may get errors when running the applet or application with Java WebStart, Plugin, DRS. 

How to identify the problem:
To check if your JAR is times stamped with the GeoTrust TSA, you can use the jarsigner utility (although you must use JDK 9, 8u121, 7u131, 6u141 or later).

Run "jarsigner -verify -verbose <jarfile>" and look for the GeoTrust TSA in the output (since https://timestamp.geotrust.com/tsa is decommissioned no real examples available)

You can also use the keytool utility (JDK 7 and later) to see if the JAR is time stamped and get more details on the certificate chain.

Run "keytool -printcert -jarfile <jarfile>" and look for the GeoTrust TSA in the output (since https://timestamp.geotrust.com/tsa is decommissioned no real examples available)

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.