JDK-8162628 : The CACERTS keystore type
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Resolved
  • Resolution: Won't Fix
  • Submitted: 2016-07-27
  • Updated: 2022-06-03
  • Resolved: 2021-10-13
Related Reports
Blocks :  
JDK-8194702 - pkcs12 can be loaded with null password but certificates are missing
Blocks :  
JDK-8208176 - Enhance keytool to deal with password-less pkcs12 keystores nicely
Blocks :  
JDK-8076190 - Customizing the generation of a PKCS12 keystore
CSR :  
JDK-8224891 - The CACERTS keystore type
Relates :  
JDK-8225099 - Tagging jdkCA certs in pkcs12 keystore differently
Relates :  
JDK-8153005 - Upgrade the default PKCS12 encryption/MAC algorithms
Relates :  
JDK-8163354 - keytool/jarsigner should print out warning messages or fail when -storepass is not provided to a pkcs12 keystore
Relates :  
JDK-8194749 - password handling with keytool -cacerts
Relates :  
JDK-8074426 - Add PKCS12 support for trust settings on root certificates
Description
The built-in collection of trust anchors for a JDK release is the cacerts keystore. It is in JKS format which has some limitations and is proprietary. Investigate migrating to a more standard format.
Comments
cacerts was using JKS which is not a standard and needs a password. This enhancement is one of the explorations we've searched for. Now that we've already used passwordless pkcs12 to store the file, there is no need to do more investigation in this area.
03-06-2022
Withdraw this proposal.
13-10-2021
There has been some discussion about alternatively creating a "PEM" KeyStore for cacerts for lower overhead, and improved performance. See https://mail.openjdk.java.net/pipermail/security-dev/2019-June/020068.html My recommendation: It sounds like it is worth exploring the benefits of a "PEM" Keystore implementation some more, but there is not enough time to do that in JDK 13. Given that, I think we should delay this issue and not push it to JDK 13. I think we want to avoid a case where we end up moving cacerts from JKS to PKCS12 and then changing our minds and moving it to PEM. Let's take the additional release to work out what is the best long-term solution here.
11-06-2019
Workaround before change: -Djavax.net.ssl.trustStorePassword=changeit.
11-01-2018