JDK-8195793 : Remove GTE CyberTrust Global Root
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 11,12
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2018-01-19
  • Updated: 2020-11-25
  • Resolved: 2019-01-31
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 Other
11.0.4-oracleFixed 12 b17Fixed openjdk8u222Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8212691 :  
The GTE CyberTrust Global Root expires on Aug. 13, 2018. It also uses a 1024-bit key and MD5 signature. There is no replacement for this root. The cacerts keystore alias name for this root is "gtecybertrustglobalca [jdk]".

Certificates that chain back to this root have been issued for TLS and code signing. With code signing certificates, the signed code may have also been timestamped, allowing that code to continue to be valid even after the code signing certificate (or any CA in its chain, including the root) expires. Thus, if we removed this root, there is a risk that we would break existing signed code that has been timestamped with certificates chaining back to this root.

However, this is primarily a risk for signed applets and Web Start apps. Applets are deprecated as of JDK 9 and Oracle does not include Web Start in JDK 11. I am not aware of other use cases for timestamping Java code. Therefore, I think it is safe and of minimal risk to remove this root going forward.
Fix Request: This needs to be backported to OpenJDK 11.0.4 because it's part of Oracle's 11.0.4. It'll apply cleanly if we also integrate the test fixes JDK-8211350, JDK-8211969 and JDK-8211971 Backport to OpenJDK 8 will be resolved with push for JDK-8189131.