cacerts bundled with OpenJDK

Henri Gomez henri.gomez at
Tue Jun 5 11:42:19 UTC 2012

>> I don't know if it's a case that I know too much about the world of CAs,
>> and am scared about what this would mean; or if it's a case I don't know
>> enough, so I'm scared about what this would mean. :)
> I think that is a good attitude to take wrt CA authorities :)

Of course, it mandatory.

> I don't agree here though. Almost anybody using java will want at least
> ssl/https to the public internet to work. Which defines a pretty well
> defined base set of root CAs to provide.


>> You use Mozilla as an example (which I see more as a consumer/end user
>> product than most OSS).
> I think almost any free software project is end user oriented. Why else
> would we hack on it? :) Picking the set Mozilla root CAs and/or making
> it easy/trivial to integrate them in a build (when NSS is installed
> already anyway) seems the right thing to do. Which is already what every
> distro does anyway, so better to make the default build be as close as
> possible to that.
> Mozilla seems to have figured this one out (or at least as the best
> public policy around this), so it makes sense to by default adopt the
> Mozilla/NSS bundle.

That's the way I followed in OpenJDK for OSX :

This script will grab cacerts from Mozilla pre-processed by curl team
and transform them into cacerts.

At build time, cacerts is rebuild if older than one week and provided
to OpenJDK build via ALT_CACERTS_FILE


More information about the discuss mailing list