JDK-8225069 : Remove Comodo root certificate that is expiring in May 2020
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7,8,11,14,15
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-05-30
  • Updated: 2022-06-27
  • Resolved: 2020-05-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 JDK 15 JDK 7 JDK 8 Other
11.0.8-oracleFixed 13.0.4Fixed 14.0.2Fixed 15 b22Fixed 7u281Fixed 8u271Fixed openjdk8u262Fixed
Sub Tasks
JDK-8225130 :  
JDK-8244167 :  
The following three Comodo certificates are expiring in May 2020 and needs action -

CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE


Please ensure not to remove the roots before the expiration date.
Fix Request [8u262]: Patch backports cleanly after path shuffling. Patched test fails with certificate present, passes once removed

Fix request (13u) Requesting backport to 13u for parity with 11u, applies cleanly.

jdk11 backport request I would like to have the patch in OpenJDK11 as well, because the issue is present there too (and for better parity with 11.0.8_oracle). The patch applies cleanly.

It is in 11.0.8-oracle + b08

Shouldn't this go to 11.0.8? It was pushed to 11.0.9-oracle.

Fix Request (14u): Requesting backport of this fix to 14.0.2. The change is to remove expiring root certificate from cacerts file. Patch applies cleanly (after JDK-8225068) and has associated test with it for verification.

URL: https://hg.openjdk.java.net/jdk/jdk/rev/83c489227951 User: rhalade Date: 2020-05-01 18:10:49 +0000

AddTrust Qualified CA Root and AddTrust External CA Root should remain since code signing certificates have been issued in the past and may still be in use with a timestamped application.