Missing root CAs in cacerts

Andrew Haley aph at redhat.com
Mon May 18 09:42:37 UTC 2020

On 5/18/20 8:59 AM, Magnus Ihse Bursie wrote:
> I've personally run into the issue of missing CAs from Java. It was
> infuriatingly hard to debug and understand why I was able to access
> a web resource from the browser, and from wget, but the Java tool
> designed to download it failed, with a very non-descriptive error
> message. So I'm all for moving to a industry standard base for
> cacerts.

>From a free software distro point of view, this is something best
handled by the OS itself: that way the user (or the admin) of the
system gets to choose what to trust. Having said that, Red Hat uses
https://fedoraproject.org/wiki/CA-Certificates, which is the Mozilla
CA root certificate bundle, somewhat modified. As far as I'm aware
every distro patches OpenJDK to use its own list, which I guess is
why this issue hasn't got much attention on GNU/Linux systems.

What does Windows do? Do they have a system-wide list?

Andrew Haley  (he/him)
Java Platform Lead Engineer
Red Hat UK Ltd. <https://www.redhat.com>
EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671

More information about the jdk-dev mailing list