Lenovo Software Helpdesk

            Failed to validate certificate error launching webRDP applet

            This is only happening once the customer updated to Java 7u25, which added more security by forcing certification validation by default. 
            http://www.java.com/en/download/help/appsecuritydialogs.xml 


            It appears workstations on the customer's network are unable to properly connect to Comodo's CRL URL and receive the validation list. 


            The two Java Console debugs below show the difference between Java receiving the CRL file from Comodo, and not receiving the file: 

            Customer's Java Console: 
            network: Connecting http://ocsp.comodoca.com/ with proxy=DIRECT 
            network: Connecting http://ocsp.comodoca.com:80/ with proxy=DIRECT 
            security: Failing over to CRLs: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage 
            network: Cache entry not found [url: http://crl.comodoca.com/COMODOCodeSigningCA2.crl, version: null] 
            network: Connecting http://crl.comodoca.com/COMODOCodeSigningCA2.crl with proxy=DIRECT 
            network: Connecting http://crl.comodoca.com:80/ with proxy=DIRECT 
            basic: Dialog type is not candidate for embedding 
            network: Created version ID: 1.7.0.25 
            network: Created version ID: 1.7.0.25 
            basic: Embedding dialogs not enabled in Configuration 

            Working Java Console: 
            network: Connecting http://ocsp.comodoca.com/ with proxy=DIRECT 
            network: Connecting http://ocsp.comodoca.com:80/ with proxy=DIRECT 
            security: Failing over to CRLs: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage 
            network: Cache entry not found [url: http://crl.comodoca.com/COMODOCodeSigningCA2.crl, version: null] 
            network: Connecting http://crl.comodoca.com/COMODOCodeSigningCA2.crl with proxy=DIRECT 
            network: Connecting http://crl.comodoca.com:80/ with proxy=DIRECT 
            network: CleanupThread used 1 us 
            network: Downloading resource: http://crl.comodoca.com/COMODOCodeSigningCA2.crl 
            Content-Length: 47,012 
            Content-Encoding: null 
            network: Wrote URL http://crl.comodoca.com/COMODOCodeSigningCA2.crl to File C:\\Users\\testuser\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\16\\2fac80d0-71e8966e-temp 
            network: CleanupThread used 1 us 
            cache: Adding MemoryCache entry: http://crl.comodoca.com/COMODOCodeSigningCA2.crl 
            security: Certificate validation succeeded using OCSP/CRL 
            security: Checking if certificate is in Internet Explorer TrustedPublisher certificate store 
            basic: Dialog type is not candidate for embedding 
            security: User has granted the priviledges to the code for this session only 
            security: Saving certificates in Deployment session certificate store 
            security: Saved certificates in Deployment session certificate store 
            network: Created version ID: 1.7.0.25 
            network: Created version ID: 1.7.0.25 
            basic: Embedding dialogs not enabled in Configuration 

            Internal testing has found that if the workstation is unable to reach oscp.comodoca.com and crl.comodoca.com then instead of generating the proper error that Java was unable to contact the CA servers, and prompting the user if they want to still run the application, it instead just throws the error that it failed to validate the certificate. 

            The fix is to make sure workstations are able to get to those servers, that they are not being blocked by a firewall or such. 

            A workaround is to disable the certificate revocation checks in the Java console. 
            "Setting Perform certificate revocation checks on" to "Do no check".
            Updated: 21 Jul 2014 11:22 AM
            Helpful?  
            Help us to make this article better
            0 0