Move the root certificates that are delivered in the cacerts keystore in Oracle's JDK to OpenJDK so that there are no differences. The cacerts keystore in OpenJDK is currently empty and this prevents things like TLS from working out-of-the-box. This is part of the overall effort to make the OpenJDK and Oracle JDK builds the same.
Each CA must must sign the Oracle Contributor Agreement (OCA) or an equivalent agreement that permits Oracle broad open sourcing rights of the roots before the certificates can be included. Those that do not sign an agreement will not be included. Those that take longer to process will be included in the next release (JDK 11). See the JEP (JDK-8191486) for more details.