Software Question

Java v7 u40 - Deployment rule set certificate?

09/19/2013 25872 views

I wanted to know if anyone had instructions or knew how to create self-signed certificates for the deployment rule sets, or if it can be done at all?  I've followed instructions here:




to create a self signed certificate and then used the keytool to extract the certificate using the command: keytool -exportcert -keystore <keyname> -alias <aliasname> -file <filename>. I put the certificate in my trusted root ca, and then followed the instructions here to create and sign the jar file:




I put the ruleset in C:\Windows\Sun\Java\Deployment\DeploymentRuleSet.jar and the link to view it appears in the java control panel under Security. However, when I click on the link to view the ruleset, I see "Rule Set not found", and when I go to a website with Java I get the error "Application blocked by Deployment Rule Set" and the last line of the error says "Invalid Deployment Rule Set file"


So, does anyone know where I'm going wrong?  I've already spent a few hours on this and can't figure it out. I'm just doing this on a test VM, so I don't care about certificate and security issues since I'll revert the VM once I'm done. 

2 Comments   [ + ] Show comments


  • I figured out the problem. I didn't have ruleset.xml in the same folder as jar.exe, so when I created the jar file, ruleset.xml was not in the root of the jar file.
  • Thanks for this info :D

Community Chosen Answer


are you saving the cert to the TrustedPublisher store on the local machine?

Answered 09/23/2013 by: mattski
Second Degree Green Belt

All Answers


To aggregate the whole situation of Java 7 Update 40 and up, please correct me when i am wrong, so i know i understand it right.

After the next security update of Java 7, all Java Applets which are not legal signed or the certificate is out of date are not runable anymore?
Only way to start them is to make a ruleset.xml, pack them into jar and then sign it with a certificate.

Is it possible to whitelist only internal java applets or can we whitelist any java-applets?

We have a corporate certificate to sign web-services on our domain, can we use it?
Do all applets signed with this certiciate have to be opened based on our domainname?

Can we use our active-directory self-signed certificate structure to sign our ruleset.xml?
I have a *.pfx file or a *.cer and *.key file, how can i merge them in a *jks using keytool?
Can we whitelist external applets, with this certificate.

Sorry not much experience with certificates at all.

Answered 09/30/2013 by: Jokes2013
White Belt

  • I wrote a fairly long blog post about this to document how one would create this file and sign it. Here is the post:

@Ryan2065 awesome tutorial, works great! Thanks! Admin Silver-Star! ;)

I get a data-signing certificate from our rootca-admin.

Works fine with Internet-Explorer, any way to push certificates to firefox?
e.g.: let firefox read the windows-system-certificates to verify the certificate-chain?

Figured it out myself:
import your CA in Java Control-Panel: (System-Context)

Rename *.cer in *.pem

An the default password is "changeit" ,you don't have to change it! ;)

C:\Programme\java\jre7\bin>keytool.exe -importcert -keystore "\Program Files\jav
a\jre7\lib\security\cacerts" -storepass changeit -file MYCA.pem -alias MYCAALIAS

C:\Programme\java\jre7\bin>keytool.exe -importcert -keystore "\Program Files\jav
a\jre7\lib\security\cacerts" -storepass changeit -file MYROOTCA.pem -alias MYROOTCAALIAS -noprompt

Answered 10/01/2013 by: Jokes2013
White Belt

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ