Missing root CAs in cacerts

Andreas Ahlenstorf andreas at ahlenstorf.ch
Thu May 14 17:44:53 UTC 2020


At AdoptOpenJDK, we get support requests because root CAs are missing from the bundled cacerts file (lib/security/cacerts). We ship the same cacerts file as OpenJDK. As a result, our users cannot connect to various servers using Java's built-in APIs while their browsers can. An example URL that fails is https://api.insee.fr/catalogue/ (root CA: Certigna).

Replacing the bundled cacerts file with one generated from Mozilla's list of trusted CAs [1] fixes the problem. [2] contains the full analysis based on OpenJDK 14.0.1 including an executable test case.


* Does OpenJDK want to do something about that?
* Is there interest for a collaboration in that area, especially by other distributors of OpenJDK like Azul, BellSoft?


>From a end user's perspective, it is inscrutable why it is possible to connect to a website using their browser, curl, but not Java. While there might be some differences because of policy, OpenJDK should strive to match the browser's list of trusted CAs a closely as possible. As of OpenJDK 14.0.1, cacerts contains 93 entries while Mozilla's list contains 138.


[1] https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
[2] https://github.com/AdoptOpenJDK/openjdk-support/issues/13#issuecomment-626147267

More information about the jdk-dev mailing list