JDK-8225069 : Remove Comodo root certificate that is expiring in May 2020
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7,8,11,14,15
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-05-30
  • Updated: 2020-08-14
  • Resolved: 2020-05-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 JDK 15 JDK 7 JDK 8 Other
11.0.8Fixed 13.0.4Fixed 14.0.2Fixed 15 b22Fixed 7u281Fixed 8u260Fixed openjdk8u262Fixed
Sub Tasks
JDK-8225130 :  
JDK-8244167 :  
Description
The following three Comodo certificates are expiring in May 2020 and needs action -

CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE

EXPIRATION DATE FOR ALL ROOTS:   5/30/2020

Please ensure not to remove the roots before the expiration date.
Comments
Fix Request [8u262]: Patch backports cleanly after path shuffling. Patched test fails with certificate present, passes once removed
16-06-2020

Fix request (13u) Requesting backport to 13u for parity with 11u, applies cleanly.
10-06-2020

jdk11 backport request I would like to have the patch in OpenJDK11 as well, because the issue is present there too (and for better parity with 11.0.8_oracle). The patch applies cleanly.
04-06-2020

It is in 11.0.8-oracle + b08
03-06-2020

Shouldn't this go to 11.0.8? It was pushed to 11.0.9-oracle.
03-06-2020

Fix Request (14u): Requesting backport of this fix to 14.0.2. The change is to remove expiring root certificate from cacerts file. Patch applies cleanly (after JDK-8225068) and has associated test with it for verification.
12-05-2020

URL: https://hg.openjdk.java.net/jdk/jdk/rev/83c489227951 User: rhalade Date: 2020-05-01 18:10:49 +0000
01-05-2020

AddTrust Qualified CA Root and AddTrust External CA Root should remain since code signing certificates have been issued in the past and may still be in use with a timestamped application.
31-05-2019