Search code examples
javasecuritysslapplettomcat7

Tomcat Security Warning When Loading Applet

I have an applet that is being loaded from a secure tomcat server and right before the applet is loaded I get an error that the site certificate is not valid and cannot be used to verify the identity of this website. I’m not sure why this is an issue only when the applet starts to load because tomcat is setup using this certificate it is now saying isn’t trusted. If I hit continue that applet loads fine, but every new session I get this again.

I’ve found a work around by importing the COMODO RSA Organization Validation Secure Server CA into the Java Security Control Panel. This really isn’t an option for all of our users so I’m looking for other ways of fixing this.

When I check the security report of the site it says that the connection to the website is encrypted. The site certification is valid and certification path status says that it’s ok too. I had the tomcat admin import the COMODO RSA Organization Validation Secure Server CA into the keystore and it didn’t fix the issue.

The applet is signed with a valid signer certificate and runs fine once the user hits continue.

Any suggestion or help would be appreciated. At the least something to try or another thing to look at would be really helpful.

Security Warning

Solution

  • The certificate error clearly says that the Certificate Authority that issued the certificate is not trusted. Which means you have to trust it explicitly by going into the browser's truststore to add it manually.

    As far as I know, not all of the COMODO's root certificates don't come built-in in few softwares like Java, Chrome or even windows, unlike some major CA's like Entrust or GeoTrust or DigiCert or VeriSign and etc.

    From the CA name you mentioned (COMODO RSA Organization Validation Secure Server CA), I only have this CA cert installed in my firefox browser. My Java, Windows and Chrome do not have it installed.

    The only COMODO certs I see in my softwares are these (by default):

    Chrome: (58.0.3029.110)

    • COMODO RSA CA

    FireFox: (53.0.3)

    firefox_comodo

    Windows: (10)

    • COMODO RSA CA

    Java: (1.8.0_121)

    • COMODO ECC CA
    • COMODO RSA CA
    • COMODO CA Limited

    Note: These are the ones I see on my default installations. These may differ in your case.

    Assuming is it the similar on your machine as well, this is what is causing the certificate error. I'm guessing that if you try to launch your applet in firefox you may not see the error, because the CA name you mentioned, I see it in the firefox installed by default.

    But if you want to overcome this error in all major browsers without having to train your users on how to add them into the truststore or if you want to completely avoid asking your users to do this step, you may have to choose a CA that is trusted across all softwares and browsers by default.