Topics and trends related to the Java ecosystem with occasional random rants.

  • March 23, 2018

OpenJDK 10 Now Includes Root CA Certificates

James Connors
Principal Solutions Consultant

With the release of OpenJDK 10 on 20 March 2018, Oracle and the Java community have made good on their commitment to furnish Java releases every six months.  The JDK 11 project is well underway and the proposed schedule calls for its release on 25 September 2018, six months after the GA (General Availability) of OpenJDK 10.  Alongside this significant change in release cadence, Oracle has pledged to make its commercial implementation of OpenJDK (Java SE or the Oracle JDK) as indistinguishable as possible from OpenJDK.  This will take some time, but those efforts have commenced and are beginning to bear fruit.

One of the enhancements to JDK 10 includes, for the first time, a set of root CA (Certificate Authority) certificates incorporated into the OpenJDK source.  As specified by Java Enhancement Proposal (JEP 319), providing root CA certificates makes "OpenJDK builds more attractive to developers" and "reduces [sic] the differences between those builds and Oracle JDK builds".

Root certificates are stored, by default, in a keystore file called cacerts.  Prior to JDK 10, the source code contained an empty cacerts file, disabling the ability to establish trust and effectively rendering many important security protocols unuseable.  To work around this shortcoming, developers had to roll their own cacerts keystore by manually populating it with a set of root certificates. 

Let's examine OpenJDK 10 on a Windows desktop:

>jdk-10\bin\java --version
openjdk 10 2018-03-20
OpenJDK Runtime Environment 18.3 (build 10+46)
OpenJDK 64-Bit Server VM 18.3 (build 10+46, mixed mode)

The following command utilizes the JDK keytool utility to query the cacerts keystore and count the number of certificates:

>jdk-10\bin\keytool -cacerts -list | find "Certificate" /c
Enter keystore password:  changeit

By default the cacerts keystore password is changeit.  The 80 included certificates matches the number specified in JEP-319. The Certificate Authorities in question were required to sign an agreement granting Oracle the right to open-source their certificates.

Expect to see more Oracle value-add finding its way into the OpenJDK source as time marches on.




Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.