Allowing (Unblock) Self-signed Java Applet in Java 7 Update 51 and Later

Java Security

Starting from Java 7 Update 51, Java does not allow users to run applications that are not signed (unsigned), self-signed (not signed by trusted authority) or that are missing permission attributes. This is a good security feature.

The older Java (1.4 to 1.6) are able to run unsigned applet without any prompt. However for self-signed applets, a prompt is displayed and you must explicitly tell the Java runtime that you trust the applet.

Whether it is required to add the website address to the Trusted Site zone depends the IE version. For IE10 and above, you must add the website IP address to the Trusted Site zone for a signed applet to run without hiccups.

Applet for Internal Usage (Intranet)

On the other hand, if you have developed an application for internal use, it is not worth the effort and cost to purchase a verified certificate by a trusted authority since the users can trust you and that your application is not going to perform anything malicious.

The following article illustrates how you can create a self-signed certificate and install in the users' machine so that their browsers do not complain that your java applet has been blocked, or that the applet poses security risks every time the user accesses the page.

Java Security Default Behaviour (Java 1.7 Update 51 onwards)

By default, the following dialog is displayed when an unsigned applet is accessed.

Exception Site List

Nevertheless, you can still allow an unsigned applet to be executed by adding a URL to the Exception Site List.

However, the browser will still nag at the user every time the user brings up the page.

This security feature may seem like a nuisance for those who know the apps can be trusted as it was developed by their own developer. Because the applet is not signed, so it keeps nagging. Therefore, the developer could self-sign the applet, create a self-signed certificate, and then distribute and install the certificate on the users' computer.

Java Certificate Repository (use Signer CA for self-signed certs)

Do not confuse yourselves with Microsoft Windows Certificate because this is the Java Certificate which is stored in a different repository from the Windows certificate repository.

The Java Certificate repository is located at:

C:\Users\<user name>\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs

for certificates verified by a Trusted Authority

and

C:\Users\<user name>\AppData\LocalLow\Sun\Java\Deployment\security\trusted.cacerts

for self-signed certificates (Signer CA, Signer Certificate Authority, where the signer is the authority)

If you import the self-signed certificate into trusted.certs, it is ignored and the applet will still be blocked.

Permission Attributes

You may remove the URL from the Exception Site List if the signed jar manifest contains the appropriate permission attributes. If the permission attributes is not set, and the URL is removed from the Exception Site List, the self-signed applet will be blocked as follow even after the cert is imported into the Signer CA repository.

Therefore, set the jar manifest appropriately as follow with ant build tool,

    <jar destfile="applet/Abc.jar">
      <manifest>
        <attribute name="Permissions" value="all-permissions"/>
      </manifest>
     ...
     ...
    </jar>

Before Signing the Applet JAR

Generate a key pair in the Java key store so that this security key pair can be used to sign the applet as well as create a public certificate to be distributed.

Generate Key Pair

C:\Users\<user-name>\AppData\LocalLow\Sun\Java\Deployment\security>keytool -genkeypair -alias Aliasname -keyalg DSA -keysize 1024 -dname "CN=PublisherName, OU=LineOfBusiness, O=CompanyName, C=Country" -keypass keypwd -storepass storepwd -validity NoOfDaysToExpire

This will create a file named .keystore in the Users\<user-name> folder. After this file has been created, you may sign the applet Jar and create (export) a public certificate file.

Create Self-signed Public Certificate File

C:\Users\<user-name>\AppData\LocalLow\Sun\Java\Deployment\security>keytool -exportcert -storepass storepwd -alias Aliasname -file mycert.csr

Certificate stored in file <mycert.csr>

Copy this file to the client computers, then import it into the Java Signer CA repository.

Import Certificate into Signer CA Repository of Client Machine

C:\Users\<user-name>\AppData\LocalLow\Sun\Java\Deployment\security>keytool -importcert -keystore c:\users\<user-name>\appdata\locallow\sun\java\deployment\security\trusted.cacerts -storepass ""  -alias Aliasname -file mycert.csr
Owner: CN=PublisherName, OU=LineOfBusiness, O=CompanyName, C=Country
Issuer: CN=PublisherName, OU=LineOfBusiness, O=CompanyName, C=Country
Serial number: 56c2a5d8
Valid from: Tue Feb 16 12:30:16 SGT 2016 until: Fri Feb 13 12:30:16 SGT 2026
Certificate fingerprints:
         MD5:  29:4F:49:3B:5D:44:4D:D4:11:BA:EB:0E:F7:9A:63:76
         SHA1: 67:6A:B8:68:0F:C2:19:DD:CE:F4:C8:C0:46:C4:13:D5:AF:85:39:21
         Signature algorithm name: SHA1withDSA
         Version: 3
Trust this certificate? [no]:  yes

Certificate was added to keystore

 Run Applet First Time

Once it is approved (check "do not show this again"), it will not prompt again.

That's it.