Re: Request to include “HARICA TLS RSA Root CA 2021” and “HARICA TLS ECC Root CA 2021” in OpenJDK cacerts
Sean Mullan
sean.mullan at oracle.com
Thu Dec 4 13:42:05 UTC 2025
Hi,
Thanks for your inquiry.
All root CA certificate requests should be initiated by the Certificate
Authority using the process defined at
https://www.oracle.com/java/technologies/javase/carootcertsprogram.html
In this case, an application has already been filed by Harica for the
roots below and it is being evaluated.
--Sean
On 12/1/25 4:53 AM, Martijn de Haar wrote:
> Dear OpenJDK Security Team,
>
> I would like to request the inclusion of the following HARICA root
> certificates in the default OpenJDK |cacerts| truststore:
>
> *
>
> *HARICA TLS RSA Root CA 2021*
>
> *
>
> *HARICA TLS ECC Root CA 2021*
>
> These roots are part of HARICA’s 2021 TLS Root hierarchy and are already
> included in all major trust programs (Apple, Microsoft, Mozilla, Google,
> Oracle) and in modern operating system trust stores. However, they do
> not appear to be present in the current OpenJDK |cacerts| file, while
> the older HARICA 2015 roots are included (added under JDK-8260597).
>
> This absence causes Java applications to fail TLS validation when
> connecting to services that use certificates issued under the 2021
> HARICA hierarchy.
>
> Thank you for your time and consideration.
>
> Kind regards,
>
> Martijn de Haar
>
>
>
>
More information about the security-dev
mailing list