RFR: 8377102: cacerts jlink plugin
Weijun Wang
weijun at openjdk.org
Thu Feb 12 18:50:26 UTC 2026
On Thu, 12 Feb 2026 18:12:34 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> This is a new `jlink` plugin which allows the user to specify the CA certificates it wants to include in the `cacerts` keystore in a custom runtime image. This can be very useful for creating runtimes that only contain the CA certificates that are necessary.
>
> The command-line syntax takes one or more `cacert` keystore aliases as an option, separated by a comma.
>
> For example:
>
> `jlink --cacerts "letsencryptisrgx1 [jdk]"`
>
> or
>
> `jlink --cacerts "letsencryptisrgx1 [jdk],digicertglobalrootca [jdk]"`
src/jdk.jlink/share/classes/jdk/tools/jlink/internal/plugins/CACertsPlugin.java line 108:
> 106: ks.load(null, null);
> 107: for (var entry : certs.entrySet()) {
> 108: ks.setCertificateEntry(entry.getKey(), entry.getValue());
Assume the original entry has attributes, do we want to copy them into the new keystore?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29700#discussion_r2800519127
More information about the core-libs-dev
mailing list