JDK-8222136 : Remove two Comodo root CA certificates that are expiring
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7-pool,8-pool,11-pool,12-pool,13
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2019-04-08
  • Updated: 2019-08-14
  • Resolved: 2019-05-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 13 JDK 7 JDK 8 Other
11.0.4-oracleFixed 12.0.2Fixed 13 b21Fixed 7u231Fixed 8u221Fixed openjdk8u222Fixed
Related Reports
Relates :  
JDK-8222133 - Add temporary exceptions for root certs that are due to expire soon
Sub Tasks
JDK-8223976 :  
Release Note: Removal of Two Comodo Root CA Certificates - Closed
Description
The following root certificates (subject DNs below) are expiring on Jul 09 2019: 

1. CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
2. CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
3. CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

The replacement root (for all 3) is "USERTrust RSA Certification Authority" (https://crt.sh/?id=1199354), which is already in the Java root store.

The first two roots can be safely removed after they expire. However, the 3rd root should be retained since there were many code signing certificates issued that chain back to this root and removing this root could break signed code that was also timestamped and is still in use. In this case, the root CA is still needed in order to properly verify the certificate chain.
Comments
Technically we're past the point of taking in non-critical fixes, but I'm making an exception for expiring cert removal.
22-05-2019
JDK 12u Fix Request: Removal of expiring certificates
21-05-2019
Fix Request: This update for OpenJDK's root certificates has to be brought down to jdk8 and jdk11 updates. Patch applies cleanly.
16-05-2019
The corresponding cacert aliases for these roots are: 1. "utnuserfirstclientauthemailca [jdk]": "CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US" 2. "utnuserfirsthardwareca [jdk]": CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US" 3. "utnuserfirstobjectca [jdk]": "CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US" The replacement root for first two roots is with alias "usertrustrsaca [jdk]": "CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US". This fix is to remove "utnuserfirstclientauthemailca [jdk]" and "utnuserfirsthardwareca [jdk]" from cacerts.
15-05-2019