RFR: 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs [v2]
Sean Mullan
mullan at openjdk.org
Thu Jan 23 22:19:46 UTC 2025
On Thu, 23 Jan 2025 22:13:09 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> done
>
> I think you added the fields for the root certificates, and not these certificates. Also, these are not root certificates, so I would remove "Root Certificate".
>
> You can use `keytool -printcert -file ...` and just include the fields before the Extensions part, ex for one of them:
>
>
> Owner: CN=Camerfirma Corporate Server II - 2015, L=Madrid (see current address at https://www.camerfirma.com/address), SERIALNUMBER=A82743287, O=AC Camerfirma S.A., OU=AC CAMERFIRMA, C=ES
> Issuer: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
> Serial number: 621ff31c489ba136
> Valid from: Thu Jan 15 04:21:16 EST 2015 until: Tue Dec 15 04:21:16 EST 2037
> Certificate fingerprints:
> SHA1: FE:72:7A:78:EA:0C:03:35:CD:DA:9C:2E:D7:5F:D4:D4:6F:35:C2:EF
> SHA256: 66:EA:E2:70:9B:54:CD:D1:69:31:77:B1:33:2F:F0:36:CD:D0:F7:23:DB:30:39:ED:31:15:55:A6:CB:F5:FF:3E
> Signature algorithm name: SHA256withRSA
> Subject Public Key Algorithm: 4096-bit RSA key
> Version: 3
I noticed the entrust chains have a similar issue, but we can fix those up later.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22985#discussion_r1927754599
More information about the security-dev
mailing list