This is a new `jlink` plugin which allows the user to specify the CA certificates it wants to include in the `cacerts` keystore in a custom runtime image. This can be very useful for creating runtimes that only contain the CA certificates that are necessary. The command-line syntax takes one or more `cacert` keystore aliases as an option, separated by a comma. For example: `jlink --cacerts "letsencryptisrgx1 [jdk]"` or `jlink --cacerts "letsencryptisrgx1 [jdk],digicertglobalrootca [jdk]"` ------------- Commit messages: - Initial revision. Changes: https://git.openjdk.org/jdk/pull/29700/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=29700&range=00 Issue: https://bugs.openjdk.org/browse/JDK-8377102 Stats: 250 lines in 4 files changed: 247 ins; 0 del; 3 mod Patch: https://git.openjdk.org/jdk/pull/29700.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/29700/head:pull/29700 PR: https://git.openjdk.org/jdk/pull/29700
On Thu, 12 Feb 2026 18:12:34 GMT, Sean Mullan <mullan@openjdk.org> wrote:
This is a new `jlink` plugin which allows the user to specify the CA certificates it wants to include in the `cacerts` keystore in a custom runtime image. This can be very useful for creating runtimes that only contain the CA certificates that are necessary.
The command-line syntax takes one or more `cacert` keystore aliases as an option, separated by a comma.
For example:
`jlink --cacerts "letsencryptisrgx1 [jdk]"`
or
`jlink --cacerts "letsencryptisrgx1 [jdk],digicertglobalrootca [jdk]"`
src/jdk.jlink/share/classes/jdk/tools/jlink/internal/plugins/CACertsPlugin.java line 108:
106: ks.load(null, null); 107: for (var entry : certs.entrySet()) { 108: ks.setCertificateEntry(entry.getKey(), entry.getValue());
Assume the original entry has attributes, do we want to copy them into the new keystore? ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/29700#discussion_r2800519127
On Thu, 12 Feb 2026 18:47:56 GMT, Weijun Wang <weijun@openjdk.org> wrote:
This is a new `jlink` plugin which allows the user to specify the CA certificates it wants to include in the `cacerts` keystore in a custom runtime image. This can be very useful for creating runtimes that only contain the CA certificates that are necessary.
The command-line syntax takes one or more `cacert` keystore aliases as an option, separated by a comma.
For example:
`jlink --cacerts "letsencryptisrgx1 [jdk]"`
or
`jlink --cacerts "letsencryptisrgx1 [jdk],digicertglobalrootca [jdk]"`
src/jdk.jlink/share/classes/jdk/tools/jlink/internal/plugins/CACertsPlugin.java line 108:
106: ks.load(null, null); 107: for (var entry : certs.entrySet()) { 108: ks.setCertificateEntry(entry.getKey(), entry.getValue());
Assume the original entry has attributes, do we want to copy them into the new keystore?
I could, I think it is easy enough to do, although I'm not aware of any use cases that depend on attributes, and `keytool` doesn't support them. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/29700#discussion_r2800695726
On Thu, 12 Feb 2026 18:12:34 GMT, Sean Mullan <mullan@openjdk.org> wrote:
This is a new `jlink` plugin which allows the user to specify the CA certificates it wants to include in the `cacerts` keystore in a custom runtime image. This can be very useful for creating runtimes that only contain the CA certificates that are necessary.
The command-line syntax takes one or more `cacert` keystore aliases as an option, separated by a comma.
For example:
`jlink --cacerts "letsencryptisrgx1 [jdk]"`
or
`jlink --cacerts "letsencryptisrgx1 [jdk],digicertglobalrootca [jdk]"`
Are you planning to update the man page? ------------- PR Comment: https://git.openjdk.org/jdk/pull/29700#issuecomment-3898427375
On Fri, 13 Feb 2026 17:32:45 GMT, Alan Bateman <alanb@openjdk.org> wrote:
Are you planning to update the man page?
That's a good question. Part of me is wondering if I have enough data to know if this plugin is covering the most common use cases. I was wondering if it should initially be "experimental" with a plan to make it official. (There are a number of jlink plugins that are experimental or unsupported). I have not thought much about building extensibility into the command line option. Currently, it is very simple and I think covers the most common use case. However, I am curious if there is a need to support adding additional root certs (ex: by specifying a PEM file), or if the developer/admin should be required to import that into the cacerts keystore (before or after). ------------- PR Comment: https://git.openjdk.org/jdk/pull/29700#issuecomment-3898820857
On Fri, 13 Feb 2026 18:53:38 GMT, Sean Mullan <mullan@openjdk.org> wrote:
However, I am curious if there is a need to support adding additional root certs (ex: by specifying a PEM file), or if the developer/admin should be required to import that into the cacerts keystore (before or after).
It might be helpful to sketch out how this might look and whether it would likely mean a new plugin or extending the current cacerts plugin. That would help with deciding on the discoverability and supportability of the current proposal. ------------- PR Comment: https://git.openjdk.org/jdk/pull/29700#issuecomment-3949763366
This is a new `jlink` plugin which allows the user to specify the CA certificates it wants to include in the `cacerts` keystore in a custom runtime image. This can be very useful for creating runtimes that only contain the CA certificates that are necessary.
The command-line syntax takes one or more `cacert` keystore aliases as an option, separated by a comma.
For example:
`jlink --cacerts "letsencryptisrgx1 [jdk]"`
or
`jlink --cacerts "letsencryptisrgx1 [jdk],digicertglobalrootca [jdk]"`
Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: man page updates ------------- Changes: - all: https://git.openjdk.org/jdk/pull/29700/files - new: https://git.openjdk.org/jdk/pull/29700/files/78eb3847..f718afed Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=29700&range=01 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=29700&range=00-01 Stats: 10 lines in 1 file changed: 10 ins; 0 del; 0 mod Patch: https://git.openjdk.org/jdk/pull/29700.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/29700/head:pull/29700 PR: https://git.openjdk.org/jdk/pull/29700
participants (3)
-
Alan Bateman
-
Sean Mullan
-
Weijun Wang