I need to install our website using Java applet in intranet. This will run under Apache and contains all applet's JNLP- and JAR-files required for deployment. In contrast to this question my Java applet is signed by Thawte certificate.
The main question is the following: will Java applet signed by trusted certificate start on client computer in intranet?
I can't answer my own question due to I don't know how certificate is being verified before applet starts. I found this article that explains certificate's revocation options but I'm not sure whether revocation check is the same as certificate's verification on very first applet start.
I carried out the test by disabling Internet connection on client computer and set up a wired connection to local server. I'm also not sure whether such test is clean because my client computer ran this signed applet before when it was connected to Internet. Anyway, before testing I went to Java Control Panel
> Security
> Manage Certificates
and removed the certificate from Trusted Certificates
. When I open a page with applet each time I get Security Warning
dialog:
Do you want to run this application?
Running this application may be a security risk
Risk: This application will run with unrestricted access which may put your computer and personal information at risk. The information provided is unreliable or unknown so it is recommended not to run this application unless you are familiar with its source
Unable to ensure the certificate used to identify this application has not been revoked
Accepting the risk adds the certificate to trusted certificates list in Java Control Panel. Does it mean that Java or/and web browser recognize the certificate by themselves?
Setting Perform certificate revocation checks on
option to Do not check (not recommended)
in Java Control Panel on client computer gives the desired result - user will be prompted of starting signed applet as usual and can disable such messages in the future. Is setting this option enough to run the applet in intranet?
The answer is yes but turning off revocation checking presents a security risk to your clients. It is only advisable if the machines running your applet are situated in a managed network, like a company network, and have no internet connection. Remember that revocation checking is a global option and cannot be set per applet or domain. You may also have a look at this thread.