I have a code signed applet and just ran into an issue with a customer running Java 6u18 where they are presented with a dialog box saying: Failed to validate certificate. The application will not be executed.
Looking around the issue seems to be that the DigitalSignature flag is not set in the KeyUsage section of the cert. (https://forums.oracle.com/forums/thread.jspa?threadID=2434846) and that versions of Java prior to 6u35 would not allow the applet to run without this flag.
I was able to reproduce the problem under 6u18 and have also verified that it has been fixed in 6u35. The customer is in a pretty locked down environment and is not able to upgrade the version of Java on the machine. Before I submit a support ticket just wanted to check with the community to see if you guys were aware of any work arounds.
The keyUsage bit for digitalSignatures is on your certificate or else it wouldn’t work with any signing application. The problem seems to stem from how Oracle is handling OCSP within the JRE. There is no known workaround at this time for us.
Java should be one of those packages that shouldn’t be locked down from updating because of how vulnerable it is and it is probably best to keep that application as up to date as possible. (same goes for Flash)
When I respond to the customer I am definitely going to bring up the dangers of having out of date Java, particularly with the recently found exploit. I just wanted to make sure I understood what other options I had to figure this problem out.