Java Error: Failed to validate certificate. The application will not be executed

Hi,

last week a customer had the problem that he wants to connect to the administration interface of a Brocade FC Switch but the Java Applet did not start. This error message was shown: “Failed to validate certificate. The application will not be executed”

Failed to validate certificate. The application will not be executed

Failed to validate certificate. The application will not be executed

A detailed look into the certificate shows that a signature algorithm MD2withRSA was used to create it.

Java Certificate error

Java Certificate error

Java certificate details

Java certificate details

MD2 is disabled in java by default also a RSA key with less then 1024bits. Because these are no longer considered as secure and therefore java reject such certificates.

You can disable this check, because you have start the applet to access your FC Switch. Locate the file java.security in the lib/security folder of your java installation and comment the following:

# jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

The applet should start now but for security reasons it is recommended to reverse this change if it is no longer needed.

Michael

Advertisment to support michlstechblog.info

Add a comment »66 comments to this article

  1. You are life saver!

    Reply

  2. You saved me hours of troubleshooting!!!

    Reply

  3. This was incredibly helpful.. thanks!

    Reply

  4. This solution definitely helped get me further into the launch of the application. But in my case, using java 8u25, I got an additional popup that claimed, ‘Your security settings have blocked an application from running due to missing a “Permissions” manifest attribute in the main jar.’

    This despite the fact that I already added the URL of the switch to the Exception Site List in Control Panel. The Java docs say that should be enough to bypass this security check (http://java.com/en/download/help/jcp_security.xml), but there must be some other step I’m missing. Any ideas?

    Reply

    • Hi Matt,

      have you tried the workaround described here https://www.java.com/en/download/help/java_blocked.xml

      Reply

      • Yes, unfortunately, I have tried that to no avail. Adding the URL to the Exception Site List has indeed worked for me for other equipment, such as Navisphere. But on my Brocade running 6.3, it doesn’t clear up that error message. I’ll let you know if I find a solution.

        Reply

        • For java 8, try not to comment the line “jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024' " , but to change 1024 by 256 . It worked for me.

          Reply

          • Its worked for me ,thanks bro .

        • The only thing I have found to solve this problem is to stay on Java 7 and turn it to “Medium” security. Frustrating, but at least it works.

          Reply

  5. Hi, how do i find java.security file in my computer.? And where do i comment after searching the file if its a security file. how to open that file?

    Reply

    • Hi,

      read the javahome key from the registry. Open a command prompt (cmd.exe) and execute.

      [H:\]reg query “HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.7” -v JavaHome

      HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.7
      JavaHome REG_SZ C:\Program Files\Java\jre7

      and for 32Bit Java on Windows x64
      D:\>reg query “HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.7” -v JavaHome

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.7
      JavaHome REG_SZ C:\Program Files (x86)\Java\jre1.7.0_55

      then you’ll find the java.security file in the subfolder lib\security:
      C:\Program Files\Java\jre7\lib\security\java.security

      Michael

      Reply

  6. Wow ! i helped some one to resolve this issue and he jumped out of his seat and said that” You are a genius “. i felt happy , the credit goes to you Michael . Thank you 🙂

    Reply

    • 🙂 Michael

      Reply

  7. What do you mean my “comment the following”, where should I put the code???

    Reply

    • Hi Domsta,

      set a hashtag # at the begin of a line. This marks the line as a comment and the line is ignored by java.

      Michael

      Reply

  8. hi i found the folder and everything but it wont let me add the jdk to the folder it says access denied

    Reply

    • Hi Brian,

      you have to start your editor with administrator rights to open the file.

      Michael

      Reply

  9. I did the same, still it doesn’t help? Im still getting the same error.

    Reply

    • Have you also checked the file attributes? Is the read-only attribute set?

      Reply

  10. YOu are a lifesaver, worked for me

    Reply

  11. hi, i had found the file C:\Program Files\Java\jre7\lib\security\java.security
    but where should i put the comment?
    ‘# jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024' ?

    Reply

    • Hi Lily,

      yes, the comment character # at the beginning of the line jdk.certpath.disabledAlgorithms…

      Michael

      Reply

  12. Hi Michael,

    Works like a charm! 🙂 Thanks for this!

    Reply

  13. hey michael
    I logged in as an administrator and unchecked the read only tab. still not allowing me to amend it. bdy i am trying to open the file with wordpad. is it okay?? or thats what m doing wrong?

    Reply

    • Hi,

      can you post me the output of some command line tools 🙂 ? First of all get AccessChk.exe from sysinternals (http://download.sysinternals.com/files/AccessChk.zip). Start notepad.exe or wordpad.exe as administrator and open your java.security file. Then execute the following commands (adjust the path to your java.security file):
      Against the java.security file
      C:> accesschk “C:\Program Files\Java\jre7\lib\security\java.security”
      C:> icacls “C:\Program Files\Java\jre7\lib\security\java.security”
      C:> attrib “C:\Program Files\Java\jre7\lib\security\java.security”

      Against the process
      C:> \accesschk.exe -p wordpad.exe

      Michael

      Reply

      • hey michael
        thanks for your response and attention. actually I am quite a novice ammongst you all.
        I simply want to run my digital signature on some website. my error is exactly what is displayed at the beginning of this thread. as per your solution i tried adding that line in my java security file , but while saving it it says access is denied.also i downloaded the access chk.exe but sorry to say was not able to understand the solution that you provided. so wud be happy if u cud help me further

        Reply

        • Hi,

          the previous post isn’t a solution 🙂 I just want to figure out why you can’t save the file. Open a command shell (cmd.exe) with administrator rights and execute the following commands:

          accesschk “C:\Program Files\Java\jre7\lib\security\java.security”
          icacls “C:\Program Files\Java\jre7\lib\security\java.security”
          attrib “C:\Program Files\Java\jre7\lib\security\java.security”
          accesschk.exe -p wordpad.exe

          and send me the output.

          Michael

          Reply

  14. thanx u are a live saver!!!

    Reply

  15. Michael, This is working in my other colleagues profile but for me i get this error,I have trying this on a shared window server through Remote Desktop and do not have access to the security file to change, is there any profile changes should i suggest to my windows admin or any entry to the specific file.

    Reply

    • Hi,

      AFAIK java security can be overwritten within a user profile but this has to be enabled by the administrator of the machine. I think you have to contact your Windows Admin.

      Michael

      Reply

  16. hi Michael

    I commented the line in a Windows 10 preview having this issue but still receive the error. I run Jre1.8.0_31. The Certificate Details show the algorithm is SHA1withRSA. Can you see a solution?

    thanks

    Lex

    Reply

    • Hi Lex,

      have you also tried to add the URL to the “Exception Site List” in the “Java Control Panel” Security Tab?

      Michael

      Reply

  17. hi Michael

    Yes I added this to Exception Site List in Security Tab page of Java. The error is still Failed to validate certifcate etc, both in IE and FFox. Subject of Certification details are
    Signature Algorithm [SHA1withRSA]
    Issuer CN=Verisign Class 3 Code Signing 2010CA, etc
    Subject CN=”Oracle America Inc.” etc.

    It is windows 10 preview but would be great to see we can get this working.

    thanks

    Lex

    Reply

    • Hi Lex,

      have you also disabled the certificate revocation checks for signed code and TLS?

      Michael

      Reply

  18. hi Michael

    Is that done when I comment also the line in the java.security as
    # jdk.tls.disabledAlgorithms=SSLv3
    or are other comments needed?

    thanks again,

    Lex

    Reply

    • Hi Lex,

      The revocation checks can be disabled at the Java Control Panel.

      Do not comment the parameters
      jdk.tls.disabledAlgorithms
      jdk.certpath.disabledAlgorithms

      Leave it and do not specify any parameter after the equal sign, because when the parameter arn’t defined I do not know which default values java sets.
      jdk.tls.disabledAlgorithms=
      jdk.certpath.disabledAlgorithms=

      Could it be that the URL you added do the exception list is changed in background from the applet? Maybe
      http://hostname.org
      to
      http://123.34.21.34

      or http://alias.org
      to
      https://hostname.com

      for example. See

      https://www.java.com/en/download/help/java_blocked.xml

      then you have to add both to the exception list. After adding the URL to the exception all apps should start perhaps with some warnings but they start.

      Have you more details about the certificate? Expiration day, Key Size…?

      The revocation checks can be disabled the Java Control Panel.

      Michael

      Reply

  19. Great! Thank you very much.

    Reply

  20. Hi Michael,

    Do I need to restart the machine after commented this line, “jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024" for Java 8. Is there another alternative for Java 8 ?. Please share.

    Thanks In Advance.

    Reply

  21. Thank you Very much!

    Reply

  22. In windows 8, search for Configure Java and in the Java Control Panel->Advanced Tab->Perform signed code certificate revocation checks on->Do not check
    Then your problem is solved. Although its not recommended “by Java”.

    Reply

    • thank you so much u r too good

      Reply

  23. Hi Jonathan,

    Your solution worked for me, thanks a lot…You da man!

    Reply

  24. **Important – Check your computer time, date and time zone first. If any of these settings are wring, this can cause this same error to occur!

    Reply

  25. Thank you SO much, you saved my behind!

    Reply

  26. Thank you SO much!

    Reply

  27. Thank you for this valuable information…

    Reply

  28. Worked for me! j7u65
    Many thanks!

    Reply

  29. Thx!

    Reply

  30. worked for me. You are really genius .

    Reply

  31. I’m having a similar issue but the signature algorithm shows [SHA1withDSA]. Is there anything I can do with this?

    Reply

  32. I am getting similar issue with signature algorithm [SHA1withRSA]. Any solution is appreciated.

    Reply

  33. A similar issue for me, but with signature algorithm [MD5withRSA], I really need to run some Java applets for my Physics class, is there any solution to this? :/

    Reply

    • Hi Saad,

      Update:
      remove MD5 from the line

      jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 to jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 Reference

      Michael

      Reply

    • I have the similar issue for SHA1withRSA.

      As you told, I already added to Exception list in JAVA. and Internet explore trusted sites also.

      Also added in Security file under lib folder

      # jdk.certpath.disabledAlgorithms=SHA1, DSA keySize < 1024

      In My machine, I have java version of 6 update 29

      could you please help on that issue.

      Regards,Vikram

      Reply

  34. Michael you’re the real MVP, thank you so much!

    Reply

  35. Hi Michael,

    I’m facing the same Application blocked for security “Failed to validate the certificate” error. I’m running Java 8u101 on Windows 7 and IE 11. I’m facing this error for all the sites where I’m requested to load Java Applets. Is it due to any specific reason I’m facing this error ?
    Please suggest.

    Reply

  36. Perfect!

    Reply

  37. Hello
    it solved with me with the following
    1- open java applet from control panel
    2- go to advanced
    3- select don’t check under (perform TLS certificate revocation ….)
    4- select also don’t check under (perform signed code revocation …)
    Faisal Shaheen
    Elsewedy Cables

    Reply

  38. Hi Michael,

    I am having similar issue like Lex. It still shows the failure message. I tried all that you recommended.
    1. Commented the java.security.
    2. select don’t check under (perform TLS certificate revocation ….)
    3. select don’t check under (perform signed code revocation …)
    4. Added IP address to the exception list.
    Nothing works.
    The same works when I role back to Java 6.

    The certificate details are as below.
    Signature Algorithm : [SHA1withRSA]
    Issuer: CN=VeriSign Class 3 Code Signing 2010 CA,
    OU=VeriSign Trust Network,
    O=”VeriSign, Inc.”,
    C=US

    Please let me know if you have any other suggestion.

    Thanks,
    Sanjay

    Reply

    • Its working, thanku

      Reply

  39. Thanks Michael,
    Your solutions has saved me quite really..

    Reply

  40. Thank you very much 🙂

    Reply

  41. In some cases the error appears on repeated attempts to install Voyant and they are unable to complete the installation.

    Reply

  42. solved my problem.. Thanks a lot!!!

    Reply

  43. Hello
    it solved with JRE 8/165 with the following
    1- open Configure java from control panel
    2- go to advanced
    3- select don’t check under (perform TLS certificate revocation ….)
    4- select also don’t check under (perform signed code revocation …)
    K Nandini
    Mechinno Engineering Solutions

    Reply

Time limit is exhausted. Please reload CAPTCHA.

Original Theme by Schiy · Powered by WordPress