Java Error: Failed to validate certificate. The application will not be executed

Hi,

last week a customer had the problem that he wants to connect to the administration interface of a Brocade FC Switch but the Java Applet did not start. This error message was shown: “Failed to validate certificate. The application will not be executed”

Failed to validate certificate. The application will not be executed
Failed to validate certificate. The application will not be executed

A detailed look into the certificate shows that a signature algorithm MD2withRSA was used to create it.

Java Certificate error
Java certificate details

MD2 is disabled in java by default also a RSA key with less then 1024bits. Because these are no longer considered as secure and therefore java reject such certificates.

You can disable this check, because you have start the applet to access your FC Switch. Locate the file java.security in the lib/security folder of your java installation and comment the following:

# jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

The applet should start now but for security reasons it is recommended to reverse this change if it is no longer needed.

Michael

74 thoughts on “Java Error: Failed to validate certificate. The application will not be executed”

  1. This solution definitely helped get me further into the launch of the application. But in my case, using java 8u25, I got an additional popup that claimed, ‘Your security settings have blocked an application from running due to missing a “Permissions” manifest attribute in the main jar.’

    This despite the fact that I already added the URL of the switch to the Exception Site List in Control Panel. The Java docs say that should be enough to bypass this security check (http://java.com/en/download/help/jcp_security.xml), but there must be some other step I’m missing. Any ideas?

      1. Yes, unfortunately, I have tried that to no avail. Adding the URL to the Exception Site List has indeed worked for me for other equipment, such as Navisphere. But on my Brocade running 6.3, it doesn’t clear up that error message. I’ll let you know if I find a solution.

        1. For java 8, try not to comment the line “jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024' " , but to change 1024 by 256 . It worked for me.

        2. The only thing I have found to solve this problem is to stay on Java 7 and turn it to “Medium” security. Frustrating, but at least it works.

    1. Hi,

      read the javahome key from the registry. Open a command prompt (cmd.exe) and execute.

      [H:\]reg query “HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.7” -v JavaHome

      HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.7
      JavaHome REG_SZ C:\Program Files\Java\jre7

      and for 32Bit Java on Windows x64
      D:\>reg query “HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.7” -v JavaHome

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.7
      JavaHome REG_SZ C:\Program Files (x86)\Java\jre1.7.0_55

      then you’ll find the java.security file in the subfolder lib\security:
      C:\Program Files\Java\jre7\lib\security\java.security

      Michael

  2. Wow ! i helped some one to resolve this issue and he jumped out of his seat and said that” You are a genius “. i felt happy , the credit goes to you Michael . Thank you 🙂

  3. hi, i had found the file C:\Program Files\Java\jre7\lib\security\java.security
    but where should i put the comment?
    ‘# jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024' ?

  4. hey michael
    I logged in as an administrator and unchecked the read only tab. still not allowing me to amend it. bdy i am trying to open the file with wordpad. is it okay?? or thats what m doing wrong?

    1. Hi,

      can you post me the output of some command line tools 🙂 ? First of all get AccessChk.exe from sysinternals (http://download.sysinternals.com/files/AccessChk.zip). Start notepad.exe or wordpad.exe as administrator and open your java.security file. Then execute the following commands (adjust the path to your java.security file):
      Against the java.security file
      C:> accesschk “C:\Program Files\Java\jre7\lib\security\java.security”
      C:> icacls “C:\Program Files\Java\jre7\lib\security\java.security”
      C:> attrib “C:\Program Files\Java\jre7\lib\security\java.security”

      Against the process
      C:> \accesschk.exe -p wordpad.exe

      Michael

      1. hey michael
        thanks for your response and attention. actually I am quite a novice ammongst you all.
        I simply want to run my digital signature on some website. my error is exactly what is displayed at the beginning of this thread. as per your solution i tried adding that line in my java security file , but while saving it it says access is denied.also i downloaded the access chk.exe but sorry to say was not able to understand the solution that you provided. so wud be happy if u cud help me further

        1. Hi,

          the previous post isn’t a solution 🙂 I just want to figure out why you can’t save the file. Open a command shell (cmd.exe) with administrator rights and execute the following commands:

          accesschk “C:\Program Files\Java\jre7\lib\security\java.security”
          icacls “C:\Program Files\Java\jre7\lib\security\java.security”
          attrib “C:\Program Files\Java\jre7\lib\security\java.security”
          accesschk.exe -p wordpad.exe

          and send me the output.

          Michael

  5. Michael, This is working in my other colleagues profile but for me i get this error,I have trying this on a shared window server through Remote Desktop and do not have access to the security file to change, is there any profile changes should i suggest to my windows admin or any entry to the specific file.

    1. Hi,

      AFAIK java security can be overwritten within a user profile but this has to be enabled by the administrator of the machine. I think you have to contact your Windows Admin.

      Michael

  6. hi Michael

    I commented the line in a Windows 10 preview having this issue but still receive the error. I run Jre1.8.0_31. The Certificate Details show the algorithm is SHA1withRSA. Can you see a solution?

    thanks

    Lex

  7. hi Michael

    Yes I added this to Exception Site List in Security Tab page of Java. The error is still Failed to validate certifcate etc, both in IE and FFox. Subject of Certification details are
    Signature Algorithm [SHA1withRSA]
    Issuer CN=Verisign Class 3 Code Signing 2010CA, etc
    Subject CN=”Oracle America Inc.” etc.

    It is windows 10 preview but would be great to see we can get this working.

    thanks

    Lex

  8. hi Michael

    Is that done when I comment also the line in the java.security as
    # jdk.tls.disabledAlgorithms=SSLv3
    or are other comments needed?

    thanks again,

    Lex

    1. Hi Lex,

      The revocation checks can be disabled at the Java Control Panel.

      Do not comment the parameters
      jdk.tls.disabledAlgorithms
      jdk.certpath.disabledAlgorithms

      Leave it and do not specify any parameter after the equal sign, because when the parameter arn’t defined I do not know which default values java sets.
      jdk.tls.disabledAlgorithms=
      jdk.certpath.disabledAlgorithms=

      Could it be that the URL you added do the exception list is changed in background from the applet? Maybe
      http://hostname.org
      to
      http://123.34.21.34

      or http://alias.org
      to
      https://hostname.com

      for example. See

      https://www.java.com/en/download/help/java_blocked.xml

      then you have to add both to the exception list. After adding the URL to the exception all apps should start perhaps with some warnings but they start.

      Have you more details about the certificate? Expiration day, Key Size…?

      The revocation checks can be disabled the Java Control Panel.

      Michael

  9. Hi Michael,

    Do I need to restart the machine after commented this line, “jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024" for Java 8. Is there another alternative for Java 8 ?. Please share.

    Thanks In Advance.

    1. Hi chaitanya,

      have you also tried this (copied from a previous comment reply):
      Could it be that the URL you added do the exception list is changed in background from the applet? Maybe
      http://hostname.org
      to
      http://123.34.21.34

      or http://alias.org
      to
      https://hostname.com

      for example. See

      https://www.java.com/en/download/help/java_blocked.xml

      then you have to add both to the exception list. After adding the URL to the exception all apps should start perhaps with some warnings but they start.

      Michael

  10. In windows 8, search for Configure Java and in the Java Control Panel->Advanced Tab->Perform signed code certificate revocation checks on->Do not check
    Then your problem is solved. Although its not recommended “by Java”.

  11. A similar issue for me, but with signature algorithm [MD5withRSA], I really need to run some Java applets for my Physics class, is there any solution to this? :/

    1. I have the similar issue for SHA1withRSA.

      As you told, I already added to Exception list in JAVA. and Internet explore trusted sites also.

      Also added in Security file under lib folder

      # jdk.certpath.disabledAlgorithms=SHA1, DSA keySize < 1024

      In My machine, I have java version of 6 update 29

      could you please help on that issue.

      Regards,Vikram

  12. Hi Michael,

    I’m facing the same Application blocked for security “Failed to validate the certificate” error. I’m running Java 8u101 on Windows 7 and IE 11. I’m facing this error for all the sites where I’m requested to load Java Applets. Is it due to any specific reason I’m facing this error ?
    Please suggest.

  13. Hello
    it solved with me with the following
    1- open java applet from control panel
    2- go to advanced
    3- select don’t check under (perform TLS certificate revocation ….)
    4- select also don’t check under (perform signed code revocation …)
    Faisal Shaheen
    Elsewedy Cables

  14. Hi Michael,

    I am having similar issue like Lex. It still shows the failure message. I tried all that you recommended.
    1. Commented the java.security.
    2. select don’t check under (perform TLS certificate revocation ….)
    3. select don’t check under (perform signed code revocation …)
    4. Added IP address to the exception list.
    Nothing works.
    The same works when I role back to Java 6.

    The certificate details are as below.
    Signature Algorithm : [SHA1withRSA]
    Issuer: CN=VeriSign Class 3 Code Signing 2010 CA,
    OU=VeriSign Trust Network,
    O=”VeriSign, Inc.”,
    C=US

    Please let me know if you have any other suggestion.

    Thanks,
    Sanjay

  15. Hello
    it solved with JRE 8/165 with the following
    1- open Configure java from control panel
    2- go to advanced
    3- select don’t check under (perform TLS certificate revocation ….)
    4- select also don’t check under (perform signed code revocation …)
    K Nandini
    Mechinno Engineering Solutions

  16. You know, thanks Mike. I appreciate this article. I have to say, Java is really ridiculous. It shouldn’t take for us to do this in order to get applets to run. It should be like it used to be. You add an exception (I connect to KVM and IPMI a lot using IP addresses as opposed to domain names) to the list of exceptions, and it just works. Instead, I spent nearly 2 hours just trying to get around this to reconfigure a server. It’s just dumb. Thank goodness that everything is slowly moving away from Java. It’s so stupid that they make you jump through all these hoops for something simple.

Leave a Reply Cancel reply