JDK-8074426 : Add PKCS12 support for trust settings on root certificates
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: In Progress
  • Resolution: Unresolved
  • Submitted: 2015-03-04
  • Updated: 2022-11-30
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 JDK 8
6-poolResolved 7-poolResolved 8-poolResolved
Related Reports
Blocks :  
JDK-8154200 - Add support for attributes for the cacerts keystore
Relates :  
JDK-8162628 - The CACERTS keystore type
Relates :  
JDK-8275252 - Migrate cacerts from JKS to password-less PKCS12
Description
One of the features we are missing is a way to mark and edit trust settings on trust anchors, or root CA certificates. For example, a root CA may be trusted for SSL, S/MIME, or code signing. Browsers usually support this feature, as well as OS-specific keystores like keychain on OS X.

The work for this issue should also include enhancing the PKIX implementation to check the trust settings when validating chains. For example, a root that is only trusted for code signing should not be used to validate TLS certificates.
Comments
Fix in Progress, but probably won't be ready for review until JDK 20 timeframe.
04-05-2022
Re-opening - this Enhancement becomes viable again once 8275252 is fixed: Migrate cacerts from JKS to password-less PKCS12. We can implement this feature using PKCS12 attributes.
18-10-2021