Missing root CAs in cacerts

Sean Mullan sean.mullan at oracle.com
Mon May 18 20:11:44 UTC 2020

In case you were not aware, the JDK already supports "Windows-ROOT" and 
"KeychainStore" KeyStore implementations that can access the root 
certificates of Windows and MacOS keystores, respectively [1, 2]. 
However, it doesn't work out of the box -- for TLS, you need to 
minimally configure the javax.net.ssl.trustStoreType and 
javax.net.ssl.trustStore properties. Other useful options like "keytool 
-trustcacerts" assume the cacerts keystore.

It would take more thought and some amount of work to make it more 
seamless across the different security components of the JDK.

That said, this would not necessarily address the root CA consistency 
issues, as these different OSes have their own root CA Programs and thus 
the set of roots can vary across each platform.



On 5/18/20 6:51 AM, Andreas Ahlenstorf wrote:
> On Mon, May 18, 2020, at 11:42, Andrew Haley wrote:
>> What does Windows do? Do they have a system-wide list?
> Both Microsoft and Apple have their own CA root program and system-wide APIs to access the list trusted of CA certificates. From an admin's POV, it would be great if those lists could be reused.
> Windows:
> * https://docs.microsoft.com/en-us/security/trusted-root/program-requirements
> * https://docs.microsoft.com/en-us/windows/win32/seccrypto/example-c-program-certificate-store-operations
> macOS:
> * https://www.apple.com/certificateauthority/ca_program.html
> * https://developer.apple.com/documentation/security/keychain_services
> Andreas

More information about the jdk-dev mailing list