I signed the Jar file using jarsigner and redeployed. On my development environment I got a warning sign saying that the certificate was from me and asked if I wanted to trust it. After accepting, the applet worked fine and I get no more yellow warning signs nor am I prompted to trust it each time.
This morning I deploy the same jar on our production environment.
I log in and I get
"The published cannot be verified by a trusted source. Code will be treated as unsigned."
"sun.security.validator.ValidatorException.PKIX path validation failed:"
"java.security.cert.CertPathValidatorException: algorithm, check failed: MD2withRSA is disabled"
I click OK and the problem is not fixed. This is a different error message then what I got on development so I am not sure what the difference is or what the nature of the new error problem is.
Could someone give me some ideas as to what I need to check? I do not directly maintain our production and development environments so I am not sure what is different between them. I was told that development is an exact copy of production but I am thinking it is not.
MD2 is no longer considered cryptologically secure, so it has been disabled in one of the JRE 6 updates. The workaround is to use certificates that were created using algorithms that are still considered secure. Look for the documentation of keytool's -keyalg and -sigalg parameters; they should mention what else is available.
Thanks-yea that looks like what my research is telling me. The problem is that my employer does not want to pay for a certificate. The one I used was self generated. It looks like you can not get around this with a self generated certificate-is that correct?
Joined: Mar 22, 2005
Self-signed vs. commercial has nothing to do with which algorithm is used to generate it. Did you check out what options keytool supports for the sigalg parameter?
Joined: Feb 04, 2005
OK-thanks. That actually helped a lot. I am sure I will have 10,000 more questions before its over.