Symantec has informed us that we should remove several roots from the JDK as they have 1024-bit keys and/or are no longer in use. The cacerts aliases are: equifaxsecureglobalebusinessca1, equifaxsecureebusinessca1,
verisignclass2g2ca, verisignclass1g3ca, verisignclass2g3ca, verisignclass1g2ca, and verisignclass1ca
See comments for more details.
We should also remove equifaxsecureca. See comment from 2018-05-30 for more details.