RFR CSR for 8162628: Migrating cacerts keystore to password-less PKCS12 format

Weijun Wang weijun.wang at oracle.com
Fri May 31 03:32:49 UTC 2019

Please review the CSR at


(Oh, I hate the CSR having a different bug id.)

Basically, with this change, the cacerts file can be loaded with

   KeyStore.getInstance("JKS" or "PKCS12").load(stream, null or anything) or
   KeyStore.getInstance(new File("cacerts"), null or anything)

so hopefully all your old code should still work.

I've also opened another RFE [1] that intends to find a different way to tag jdkCA entries in cacerts other than appending "[jdk]" to the alias.


[1] https://bugs.openjdk.java.net/browse/JDK-8225099

More information about the security-dev mailing list