RFR: 8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs [v3]
Mark Powers
mpowers at openjdk.org
Fri Jan 24 17:37:52 UTC 2025
On Thu, 23 Jan 2025 22:17:14 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> I think you added the fields for the root certificates, and not these certificates. Also, these are not root certificates, so I would remove "Root Certificate".
>>
>> You can use `keytool -printcert -file ...` and just include the fields before the Extensions part, ex for one of them:
>>
>>
>> Owner: CN=Camerfirma Corporate Server II - 2015, L=Madrid (see current address at https://www.camerfirma.com/address), SERIALNUMBER=A82743287, O=AC Camerfirma S.A., OU=AC CAMERFIRMA, C=ES
>> Issuer: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
>> Serial number: 621ff31c489ba136
>> Valid from: Thu Jan 15 04:21:16 EST 2015 until: Tue Dec 15 04:21:16 EST 2037
>> Certificate fingerprints:
>> SHA1: FE:72:7A:78:EA:0C:03:35:CD:DA:9C:2E:D7:5F:D4:D4:6F:35:C2:EF
>> SHA256: 66:EA:E2:70:9B:54:CD:D1:69:31:77:B1:33:2F:F0:36:CD:D0:F7:23:DB:30:39:ED:31:15:55:A6:CB:F5:FF:3E
>> Signature algorithm name: SHA256withRSA
>> Subject Public Key Algorithm: 4096-bit RSA key
>> Version: 3
>
> I noticed the entrust chains have a similar issue, but we can fix those up later.
Camerfirma test chains have been updated.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22985#discussion_r1929022991
More information about the security-dev
mailing list