My Oracle Support Banner

From 30 Oct, 2017 Customers See Certificate Expiration Exceptions when Launching Their Java Client Applications (JavaWebstart, Applets) (Doc ID 2327847.1)

Last updated on FEBRUARY 16, 2019

Applies to:

Java SE JDK and JRE - Version 6 to 8
Information in this document applies to any platform.
- https://blogs.oracle.com/mullan/java-applications-that-are-signed-and-timestamped-with-the-geotrust-timestamp-authority-are-no-longer-working

Symptoms

Starting from 30 Oct, 2017, a number of customers experienced certificate expiration exceptions with their Java client applications (Java WebStart, applets).  An example of the message that might be seen:

The expected behavior is they should not get this certificate expiration exception if jars were signed and stamped with valid certificate. 

Changes

On October 30, 2017, the certificate for the GeoTrust Time Stamp Authority (TSA) expired.  The GeoTrust TSA uses SHA-1 and has been decommissioned by Symantec.  If your application is using a signed JAR that is also time stamped with the GeoTrust TSA, then you may get errors when running the applet or application with Java WebStart, Plugin, DRS. 

How to identify the problem:
To check if your JAR is times stamped with the GeoTrust TSA, you can use the jarsigner utility (although you must use JDK 9, 8u121, 7u131, 6u141 or later).

Run "jarsigner -verify -verbose <jarfile>" and look for the GeoTrust TSA in the output.

You can also use the keytool utility (JDK 7 and later) to see if the JAR is time stamped and get more details on the certificate chain.

Run "keytool -printcert -jarfile <jarfile>" and look for the GeoTrust TSA in the output.

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.