Failed to validate certificate with latest Java 7

chi · February 13, 2013, 6:18pm

Hello,

after updating a dev system to the latest Java 7 (1.7.0_13 on Win7-64) i am unable to start the designer or clients.
I already tried clearing the Ignition and Java caches without success.
Any idea what could be wrong?

Java WebStart fails with an InvalidKeyException.

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
	at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
	at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
	at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main.access$000(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
	at java.security.cert.CertPathValidator.validate(Unknown Source)
	... 20 more
Caused by: java.security.InvalidKeyException: Wrong key usage
	at java.security.Signature.initVerify(Unknown Source)
	at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
	at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
	... 24 more

greg.simpson · February 13, 2013, 6:31pm

Go to Control Panel>Java, and then to the Advanced tab. Expand “Security”. Are either of the following two options selected?
“Check publisher certificate for revocation”
“Enable online certificate validation”

If they are, deselect them.

chi · February 13, 2013, 6:36pm

Thank you for the quick reply.

Deselecting those setting worked, but i am pretty sure that our IT department will not like this solution. Is this something that might be fixed in future Java / Ignition versions?

greg.simpson · February 13, 2013, 6:53pm

What version of Ignition are you currently using? This may be due to the certificate being expired in an older version of Ignition. Upgrading may correct the inability to validate the certificate.

chi · February 13, 2013, 6:57pm

The Ignition version is already the latest 7.5.5

greg.simpson · February 13, 2013, 6:58pm

Is the computer that your launching the client/designer on connected to the internet?

chi · February 13, 2013, 7:03pm

Yes, it is. This is my private dev system, so there should be nothing preventing certificate evaluation. I just tried to disable the firewall but that made no difference.
The gateway runs in a VM on the same machine.

greg.simpson · February 13, 2013, 7:11pm

I will put a ticket in the system to have the development team take a look at this. I found some information regarding this error message, but it has to do with a potential bug in Java. The work around that I described to you is also found on the Oracle website. We do have some related forum threads in our forums.

chi · February 13, 2013, 7:36pm

You are right, this is open bug in Java. I should have looked there first. (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7174966).

Seems that Java 7 is not able to evaluate certificates issued by Comodo.

greg.simpson · February 13, 2013, 7:47pm

Correct

Carl.Gould · February 14, 2013, 7:07pm

Good excuse for us to get a new cert anyhow. We’ll have a cert from Symantec in 7.5.6. That’s the best we can do.

jhortig · May 26, 2013, 4:13pm

I installed the latest version of Ignition (Ignition-7.6.0-windows-x64-installer) and the latest version of java (Version 7 Update 21) yesterday and still have this problem.

The workarounds above did not fix it ether.

Thanks.

Carl.Gould · May 28, 2013, 4:23pm

Really!? Our current cert is valid until 2016…

What are the cert details you see under the Java control panel > Security > Certificates?

jhortig · May 29, 2013, 1:39am

What certificate type should I look at?
There is Trusted Certificates, Secure Site, Signer CA, Secure Site CA and Client Authentication.
And a User and System tab.

Carl.Gould · May 29, 2013, 4:14pm

Trusted / User

jhortig · May 29, 2013, 4:53pm

There is nothing in there, completely empty.

My computers OS is Ubuntu Linux, I’m running Ignition on a Windows 7 virtual machine (vmware).
Don’t know if this could have anything to do with the problem.

Thanks.

jhortig · June 1, 2013, 9:06pm

How can I get the necessary certificates?

Thanks.

Carl.Gould · June 3, 2013, 11:41pm

You do not need any certificates. The certificates are contained within the application. I suspect that something is strange with your java installation, as we are unable to reproduce this issue. You might try updating to the latest version of Java 7?