RFR CSR for 8162628: Migrating cacerts keystore to password-less PKCS12 format
Weijun Wang
weijun.wang at oracle.com
Sun Jun 2 08:34:56 UTC 2019
The main reason I put each cert in an individual file is for the file name, which will be used as the alias in the cacerts keystore.
If all certs are in a single file, I know I can add attribute lines like "alias: name [jdk]" before each PEM block but these extra lines are not well defined and I don't like depending of them.
Anyone else also preferring this format?
Thanks,
Max
> On Jun 1, 2019, at 7:17 PM, Michael Osipov <1983-01-06 at gmx.net> wrote:
>
> Am 2019-05-31 um 05:32 schrieb Weijun Wang:
>> Please review the CSR at
>>
>> https://bugs.openjdk.java.net/browse/JDK-8224891
>>
>> (Oh, I hate the CSR having a different bug id.)
>>
>> Basically, with this change, the cacerts file can be loaded with
>>
>> KeyStore.getInstance("JKS" or "PKCS12").load(stream, null or anything) or
>> KeyStore.getInstance(new File("cacerts"), null or anything)
>>
>> so hopefully all your old code should still work.
>>
>> I've also opened another RFE [1] that intends to find a different way to tag jdkCA entries in cacerts other than appending "[jdk]" to the alias.
>
> Can you please explain why not simple PEM bundles like OpenSSL have been
> chosen? This could have eased maintenance by factors, plus it is easy
> greppable.
More information about the security-dev
mailing list