JDK-8225072 : Add LuxTrust certificate that is expiring in March 2021 to list of allowed but expired certs
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8u291,11.0.10,11.0.11-oracle,16,17
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-05-30
  • Updated: 2021-06-17
  • Resolved: 2020-12-17
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 15 JDK 16 JDK 17 JDK 7 JDK 8 Other
11.0.10Fixed 13.0.8Fixed 15.0.4Fixed 16Fixed 17 b03Fixed 7u301Fixed 8u291Fixed openjdk8u282Fixed
Related Reports
Duplicate :  
JDK-8258596 - VerifyCACerts.java test fails because luxtrustglobalrootca expires within 90 days
Description
The following LuxTrust root certificate is expiring in March 2021 and needs action -

CN=LuxTrust Global Root, O=LuxTrust s.a., C=LU

EXPIRATION DATE: 3/17/2021

They have issued code signing certificates that chain back to this root.
Comments
Fix request (13u): this fix should be ported in a series of certificates adjustments for parity with LTS releases. Patch applied seamlessly.
17-06-2021
Fix request (15u): this fix should be ported in a series of certificates adjustments for parity with LTS releases. Patch applied seamlessly.
17-06-2021
Fix Request (OpenJDK 8u): Please approve backporting this to 8u282 (critical request). The test fails there too. Together with JDK-8239105 this fixes the failing VerifyCACerts.java test on OpenJDK 8u282. Patch applies clean after JDK-8239105 has been applied (modulo changed path to the test).
22-12-2020
Changeset: 9fdfc6df Author: Rajan Halade <rhalade@openjdk.org> Date: 2020-12-17 22:14:25 +0000 URL: https://git.openjdk.java.net/jdk/commit/9fdfc6df
21-12-2020
Fix Request (OpenJDK 11u): Please approve downporting this to OpenJDK 11.0.10 (critical request), since the test now fails there too. Patch didn't apply cleanly due to JDK-8243559 missing in 11u. Reviewed by Christoph Langer. The fix addresses JDK-8258630 too. RFR: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-December/004458.html
21-12-2020
Changeset: 666e6c40 Author: Rajan Halade <rhalade@openjdk.org> Date: 2020-12-17 20:27:25 +0000 URL: https://git.openjdk.java.net/jdk/commit/666e6c40
17-12-2020
The cacert alias for this root is "luxtrustglobalrootca [jdk]"
17-12-2020
This is causing a failure in tier 2: ----------System.err:(13/812)---------- ERROR: cert "luxtrustglobalrootca [jdk]" expiry "Wed Mar 17 09:51:37 UTC 2021" will expire within 90 days java.lang.Exception: At least one cacert test failed at VerifyCACerts.main(VerifyCACerts.java:352) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:567) at com.sun.javatest.regtest.agent.MainActionHelper$AgentVMRunnable.run(MainActionHelper.java:298) at java.base/java.lang.Thread.run(Thread.java:831)
17-12-2020