I went pretty far down this rabbit hole. Here’s where I ended up: sun.security.validator.ValidatorException: Extended key usage does not permit use for code signing .
I had a certificate issued from letsencrypt, and then used this guy’s instructions to transform the keys into Java Keystore JKS format. Then, I got the above error, and could not execute my JNLP.
Letsencrypt is awesome, and the entire Java WebStart technology is slowing going away. However, for the need I presently have (signing jar files), it unfortunately looks like letsencrypt will not work for me. I wanted to provide this super detailed response in case anyone else started down this path, and my note could help them come to the same conclusion I did, but more quickly.
Here’s the shortcut, official, someone working for letsencrypt explaining why they don’t issue these kind of certificates.