Summary

Provide a default set of root Certification Authority (CA) certificates in the JDK.

Goals

Open-source the root certificates in Oracle's Java SE Root CA program in order to make the OpenJDK builds more attractive to developers and to reduce the differences between those builds and the Oracle JDK.

Motivation

The cacerts keystore is intended to contain a set of root certificates for establishing trust in certificate chains used in various security protocols. However, the JDK source code currently includes an empty cacerts keystore. The result is that critical security components like TLS do not work by default for OpenJDK builds. To workaround this issue, users must configure and populate the cacerts keystore with a set of root certificates, for example, as documented in the JDK 9 release notes.

Description

The cacerts keystore will be populated with a set of root certificates issued by the CAs of Oracle's Java SE Root CA Program. As a prerequisite, each CA must sign the Oracle Contributor Agreement (OCA) or an equivalent agreement that permits Oracle broad open sourcing rights of the roots before the certificates can be included. Below are the CAs that have signed the required agreement and for each, a list of root certificates (identified by the Distinguished Name) which are targeted for inclusion as part of this JEP:

Actalis S.p.A.

  1. CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT

Buypass AS

  1. CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
  2. CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO

Camerfirma

  1. CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
  2. CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
  3. CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

Certum

  1. CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
  2. CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Chunghwa Telecom Co., Ltd.

  1. OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW

Comodo CA Ltd.

  1. CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  2. CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
  3. CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
  4. CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
  5. CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
  6. CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
  7. CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
  8. CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
  9. CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  10. CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
  11. CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

Digicert Inc.

  1. CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
  2. CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
  3. CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  4. CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  5. CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
  6. CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
  7. CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  8. CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  9. CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
  10. CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  11. OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  12. CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
  13. CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  14. CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  15. CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  16. CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  17. CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
  18. CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
  19. CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  20. CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  21. CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
  22. CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  23. EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
  24. CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
  25. OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  26. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  27. CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  28. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  29. CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  30. OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  31. OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
  32. CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  33. CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  34. CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  35. CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

DocuSign

  1. CN=Class 2 Primary CA, O=Certplus, C=FR
  2. CN=Class 3P Primary CA, O=Certplus, C=FR
  3. CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR

D-TRUST GmbH

  1. CN=D-TRUST Root Class 3 CA 2 2009, O=D-Trust GmbH, C=DE
  2. CN=D-TRUST Root Class 3 CA 2 EV 2009, O=D-Trust GmbH, C=DE

Let's Encrypt

  1. CN=ISRG Root X1, O=Internet Security Research Group, C=US

LuxTrust

  1. CN=LuxTrust Global Root, O=LuxTrust s.a., C=LU

QuoVadis Ltd.

  1. CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
  2. CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
  3. CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
  4. CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
  5. CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
  6. CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM

Secom Trust Systems

  1. OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
  2. OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
  3. OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP

SwissSign AG

  1. CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
  2. CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
  3. CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH

Telia

  1. CN=Sonera Class2 CA, O=Sonera, C=FI
  2. CN=TeliaSonera Root CA v1, O=TeliaSonera

Trustwave

  1. CN=SecureTrust CA, O=SecureTrust Corporation, C=US
  2. CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US

Testing

Tests will be created to verify the integrity of the cacerts keystore by verifying the SHA-256 fingerprint of each root certificate. If practical, tests will also be included to validate test certificates (issued by the CAs) that chain back to the included roots. Additional tests will be added to ensure that security components that depend on root certificates work out-of-the-box on OpenJDK builds and do not require additional configuration.