JEP 319: Root Certificates

AuthorSean Mullan
OwnerRajan Halade
TypeFeature
ScopeJDK
StatusClosed / Delivered
Release10
Componentsecurity-libs / java.security
Discussionsecurity dash dev at openjdk dot java dot net
EffortS
DurationS
Reviewed byBrian Goetz, Mark Reinhold
Endorsed byBrian Goetz
Created2017/11/17 13:04
Updated2018/08/14 21:58
Issue8191486

Summary

Provide a default set of root Certification Authority (CA) certificates in the JDK.

Goals

Open-source the root certificates in Oracle's Java SE Root CA program in order to make OpenJDK builds more attractive to developers, and to reduce the differences between those builds and Oracle JDK builds.

Motivation

The cacerts keystore, which is part of the JDK, is intended to contain a set of root certificates that can be used to establish trust in the certificate chains employed in various security protocols. The cacerts keystore in the JDK source code, however, is currently empty. As a result, critical security components such as TLS do not work by default in OpenJDK builds. To work around this issue, users must configure and populate the cacerts keystore with a set of root certificates as documented, for example, in the JDK 9 release notes.

Description

The cacerts keystore will be populated with a set of root certificates issued by the CAs of Oracle's Java SE Root CA Program. As a prerequisite, each CA must sign the Oracle Contributor Agreement (OCA), or an equivalent agreement, to grant Oracle the right to open-source their certificates. Below are the CAs that have signed the required agreement and, for each, a list of the root certificates (identified by the Distinguished Name) that will be included. This list includes a majority of the CAs that are currently members of Oracle's Java SE Root CA Program. Those that do not sign an agreement will not be included at this time. Those that take longer to process will be included in the next release.

Actalis S.p.A.

  1. CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT

Buypass AS

  1. CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
  2. CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO

Camerfirma

  1. CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
  2. CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  3. CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

Certum

  1. CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
  2. CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Chunghwa Telecom Co., Ltd.

  1. OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW

Comodo CA Ltd.

  1. CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  2. CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
  3. CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  4. CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
  5. CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
  6. CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
  7. CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
  8. CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
  9. CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  10. CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  11. CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

Digicert Inc.

  1. CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
  2. CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
  3. CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  4. CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  5. CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
  6. CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
  7. CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  8. CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  9. CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
  10. CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  11. OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  12. CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
  13. CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  14. CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  15. CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  16. CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  17. CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  18. CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
  19. CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  20. CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  21. CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
  22. CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  23. EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  24. CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
  25. OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  26. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  27. CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  28. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  29. CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  30. OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  31. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  32. CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  33. CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  34. CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  35. CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

DocuSign

  1. CN=Class 2 Primary CA, O=Certplus, C=FR
  2. CN=Class 3P Primary CA, O=Certplus, C=FR
  3. CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR

D-TRUST GmbH

  1. CN=D-TRUST Root Class 3 CA 2 2009, O=D-Trust GmbH, C=DE
  2. CN=D-TRUST Root Class 3 CA 2 EV 2009, O=D-Trust GmbH, C=DE

IdenTrust

  1. CN=DST Root CA X3, O=Digital Signature Trust Co.
  2. CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US
  3. CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US

Let's Encrypt

  1. CN=ISRG Root X1, O=Internet Security Research Group, C=US

LuxTrust

  1. CN=LuxTrust Global Root, O=LuxTrust s.a., C=LU

QuoVadis Ltd.

  1. CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
  2. CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
  3. CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
  4. CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
  5. CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
  6. CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM

Secom Trust Systems

  1. OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
  2. OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
  3. OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP

SwissSign AG

  1. CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
  2. CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  3. CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH

Telia

  1. CN=Sonera Class2 CA, O=Sonera, C=FI

Trustwave

  1. CN=SecureTrust CA, O=SecureTrust Corporation, C=US
  2. CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US

Testing

Tests will be created to verify the integrity of the cacerts keystore by verifying the SHA-256 fingerprint of each root certificate. If practical, tests will also be written to validate test certificates, issued by the CAs, that chain back to the included roots. Additional tests will be added to ensure that security components that depend on root certificates work out-of-the-box on OpenJDK builds without any additional configuration.