cacerts bundled with OpenJDK

Deepak Bhole dbhole at
Fri Jun 1 13:52:27 UTC 2012

* Donald Smith <donald.smith at> [2012-06-01 08:57]:
> I don't know if it's a case that I know too much about the world of
> CAs, and am scared about what this would mean; or if it's a case I
> don't know enough, so I'm scared about what this would mean. :)
> I'm not convinced it would help avoid duplication.  In many cases
> CAs won't be wanted or needed, and I believe in most cases where CAs
> are wanted by packagers (your case notwithstanding) they'll be
> wanting it from the OS perspective, or using their own corporate
> certs.
> You use Mozilla as an example (which I see more as a consumer/end
> user product than most OSS).  To which I would counter example with
> OpenSSL -
> I would be interested in hearing other opinions.

Just to chime in from a Fedora perspective, we link
jre/lib/security/cacerts to /etc/pki/java/cacerts which are certs
provided by Mozilla. Other applications too make use of this bundle. It
makes it easier to have everything in one place via one provider

The ability to at least provide a cacerts location during build might be
helpful by a little bit, but not by much really. It'd just save an extra
ln/cp command after the build.


>  - Don
> On 01/06/2012 3:20 AM, Henri Gomez wrote:
> >>Disclaimer that I haven't read the thread to which you're referring.
> >>
> >>I think a key difference between Mozilla and OpenJDK is that Mozilla
> >>distributes packaged products to end users whereas OpenJDK is a
> >>collaboration of platform providers at the source code level.  Whereas
> >>cacerts are fundamentally a packaged product thing, and not entirely
> >>necessary, and fundamentally tied to whoever is distributing the binary, I
> >>don't think it would or should apply.  Whereas Mozilla is shipping product
> >>almost exclusively to end users in the form of Firefox, Thunderbird, etc,
> >>then I can understand why they would maintain certs with the products.
> >Yep.
> >
> >Providing a default cacerts in OpenJDK with a set of well-known ROOT
> >CAs would help packagers avoiding duplicate works on all
> >distributions.
> >
> >I guess there is some packagers here, at least Andrew Hughes, what do
> >you think about this ?

More information about the discuss mailing list