JDK-8216280 : Allow later Symantec Policy distrust date for two Apple SubCAs
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u221,8u211,11.0.3-oracle,12,13
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2019-01-07
  • Updated: 2019-09-04
  • Resolved: 2019-01-22
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 13 JDK 7 JDK 8 Other
11.0.3-oracleFixed 12 b29Fixed 13Fixed 7u221Fixed 8u211Fixed openjdk7uFixed
Related Reports
Relates :  
Relates :  
The JDK will stop trusting TLS Server certificates by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec. Any TLS Server certificate issued after April 16, 2019 will be restricted. This change has already been implemented and is in JDK 12 (see JDK-8207258).

Apple has requested more time to transition their users off of the legacy Symantec Root CAs that will be distrusted for TLS Server certificates. They are working with DigiCert on a transition plan and have requested a later distrust date: December 31, 2019. This later distrust date would only apply to TLS Server certificates issued from two Apple subordinate CAs: "Apple IST CA 2 - G1" and "Apple IST CA 8 - G1". Any certificate issued after that date will be distrusted. Other vendors such as Mozilla have granted similar exemptions to these Apple subCAs.
Liu Xin is working on 8u backport. Should go in together with JDK-8207258.


Fix request: The extension of the distrust date for two Apple SubCAs should be done for OpenJDK as well. Patch applies cleanly. Risk is low.

Verified by running test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java against jdk12+29 on linux-x64

The distrust policy changes for this issue have been documented and incorporated into the release note for JDK-8207258: https://bugs.openjdk.java.net/browse/JDK-8215012

Fix request approved.

Fix Request This fix extends the legacy Symantec Root CA distrust date for two Apple subordinate CAs from April 16, 2019 until the end of the year. It is important to fix this otherwise TLS Server certificates issued by these subCAs may stop working before they are replaced. The fix is low risk. New tests have been added containing certificates issued by these subCAs to ensure they will continue to be trusted until the later distrust date. The CCC has also been approved and this issue will also be backported to previous releases. Reviewers: coffeys webrev: http://cr.openjdk.java.net/~mullan/webrevs/8216280/webrev.00/