We have a Java applet that needs to run with full trust.
While developing and during pre-release tests we sign it using a self-signed certificate (the production version is signed with a real code signing certificte).
But when we try to start the self-signed applet on the prerelases of OS X 10.8, we can no longer choose to allow it to run. The "Allow"-button is simply disabled:
If I press "Show Details..." I can choose to "Always trust" the certificate, but this makes no difference:
It works with the same version of the Java JRE on OS X Lion 10.7, so I suspect it is an issue with the OS and not the JRE.
Are there any workarounds?
I would prefer not to use a real code signing certificate for testing: signing with a real code signing certificate means that my company asserts that the applet is secure and should be trusted. We can hardly assert that before we have tested it.
It is new security feature in Mac OS X, by default only apps from Mac Store & from trusted developers are allowed to run there. Fortunatelly, it is easy to change, you have to allow this in Mac OS X preferences.
Go to Preferences -> Security & Privacy and click on padlock to allow changes.
Then in "Allow appications downloaded from" select "Anywhere".
After that, the button in Java dialog will be enabled.
If you get the "Application Blocked by Security Settings" message, you need to go into System Preferences: Java: Security and either add your site to the exception list or reduce the security level to Medium.
OS X Lion you can manually add the certificate as a trusted root certificate using the built-in Keychain Access tool. I don't have access to OS X Mountain Lion yet so I don't know if it will work in Mountain Lion, but it seems worth a try. The steps in Lion are:
- Open Keychain Access (located in /Applications/Utilities)
- Click File | Import Items...
- Change the Destination Keychain to System
- Find your certificate file and click Open
- It will say "Do you want your computer to trust certificates sign by [...] from now on?". Click Always Trust.
If you generated your certificate directly in a Java keystore then you might not have a standalone certificate file. You can easily export one using this guide from Oracle.
I note that your screenshot says "This certificate is marked as trusted for this account", which is curious because I'd expect that to be acceptable. Maybe in OS X Mountain Lion user-added root certificates somehow have a lower status than official ones distributed by Apple? If you find that the above steps don't work, you could try adding your certificate to the official root keychain. Keychain Access won't let you do that, but I believe you can use the builtin certtool to manually edit the keychain located at /System/Library/Keychains/SystemRootCertificates.keychain to achieve that.
来源:https://stackoverflow.com/questions/11136805/java-applet-with-self-signed-certificate-on-os-x-mountain-lion