Missing root CAs in cacerts
Sean Mullan
sean.mullan at oracle.com
Mon May 18 20:11:44 UTC 2020
In case you were not aware, the JDK already supports "Windows-ROOT" and
"KeychainStore" KeyStore implementations that can access the root
certificates of Windows and MacOS keystores, respectively [1, 2].
However, it doesn't work out of the box -- for TLS, you need to
minimally configure the javax.net.ssl.trustStoreType and
javax.net.ssl.trustStore properties. Other useful options like "keytool
-trustcacerts" assume the cacerts keystore.
It would take more thought and some amount of work to make it more
seamless across the different security components of the JDK.
That said, this would not necessarily address the root CA consistency
issues, as these different OSes have their own root CA Programs and thus
the set of roots can vary across each platform.
--Sean
[1]
https://docs.oracle.com/en/java/javase/14/security/oracle-providers.html#GUID-4F1737D6-1569-4340-B140-678C70E63CD5
[2]
https://docs.oracle.com/en/java/javase/14/security/oracle-providers.html#GUID-3185649A-C316-45F2-A70E-2B3FF6BDC34F
On 5/18/20 6:51 AM, Andreas Ahlenstorf wrote:
> On Mon, May 18, 2020, at 11:42, Andrew Haley wrote:
>> What does Windows do? Do they have a system-wide list?
>
> Both Microsoft and Apple have their own CA root program and system-wide APIs to access the list trusted of CA certificates. From an admin's POV, it would be great if those lists could be reused.
>
> Windows:
> * https://docs.microsoft.com/en-us/security/trusted-root/program-requirements
> * https://docs.microsoft.com/en-us/windows/win32/seccrypto/example-c-program-certificate-store-operations
>
> macOS:
> * https://www.apple.com/certificateauthority/ca_program.html
> * https://developer.apple.com/documentation/security/keychain_services
>
> Andreas
>
More information about the jdk-dev
mailing list