With the update of the last version of JRE (Java in client), JRE 8u31 (or in my case 1.7.0_75 in Mac), we have verified that several users have problems to load Viafirma’s Java applet (in general it will happen with any Java applet) in several browsers, when the website is published over https with an SSL certificate issued by a Certification Authority not recognized by default by Java (many of the Electronic Administration portals in Spain). Not to go too much into details, since this is a post to help users of such portals (and in our case, especially for users of the Fundación Tripartita), this problem is because, for whatever reasons, browsers are not detecting the full certification path (the certificates of the different intermediate and root CAs).
For example, when we try to load the path https://viafirma.fundaciontripartita.org/viafirma the browser (in my case Firefox on Mac) forces us to accept the risk precisely because the connection could not be validated. On the screen it makes clear that “the sender’s string has not been provided”:
When I add the exception, if we analyze the certificate’s trust chain, we can see that Firefox is not detecting it:
Something that does happen, for example, with https://www.eacat.cat/viafirma, where the browser does detect the complete certification path and has no problem loading the certificate:
An uncomfortable but effective solution is to manually incorporate in our local Java configuration the trust in the different root and intermediate certification authorities of the SSL issuing Certification Authority; in the case of the Tripartita Foundation, FNMT. To do this, we will first download this ZIP file that contains these two public keys of the FNMT CAs:
- fnmt-ca-ssl-certs
We unzip it, and then we will open the Java Control Panel:
Click on Security and then on Manage Certificates; select in Certificate Type “Secure Site CA”, to be able to add the trust to the SSL certificates of the FNMT:
Now we click on import and select our two trusted certificates from the site where we have unzipped it; if we cannot select them, we will have to change the combo that filters the type of certificate so that it takes any type, and we will select the two .cer certificates. At the end we will have something like this:
And the applet will load correctly.