JDK-6904162 : Add new VeriSign root CA certificates to JRE and remove some old/unused ones
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6,7
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic,solaris_9
  • CPU: generic,sparc
  • Submitted: 2009-11-23
  • Updated: 2015-03-08
  • Resolved: 2009-12-23
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other JDK 6 JDK 7 Other
1.4.2_26,OpenJDK6Fixed 6u19 b01Fixed 7Fixed OpenJDK6Resolved
Related Reports
Duplicate :  
Relates :  
Relates :  
Description
We need to add a number of new VeriSign root CA certificates to the JRE in order to support extended validation certificates and other recent certificates that VeriSign has or will begin issuing under these new roots. There are also a few root certificates that we can remove because they were never put in production or are no longer applicable. Also some of the new root certificates will replace existing certificates and have stronger digest algorithms (SHA-1 instead of MD5).

Comments
EVALUATION "equifaxsecureebusinessca2" was also removed as it is no longer used.
27-04-2010

EVALUATION For JRE 6, the following new aliases were added to the cacerts file: verisignuniversalrootca verisignclass3g5ca thawteprimaryrootca geotrustprimaryca geotrustprimarycag3 thawteprimaryrootcag3 geotrustuniversalca The following aliases were removed because their root certs are not applicable or were never put into production: thawtepersonalbasicca thawtepersonalpremiumca verisignclass2ca The following aliases were replaced with certificates signed with stronger (SHA1withRSA instead of MD*withRSA) algorithms: thawtepersonalfreemailca thawtepremiumserverca thawteserverca verisignclass1ca verisignclass3ca
02-12-2009