JDK-8243559 : Remove root certificates with 1024-bit keys
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7,8,11,15,16
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2020-04-24
  • Updated: 2023-12-12
  • Resolved: 2020-11-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 15 JDK 16 JDK 7 JDK 8 Other
11.0.12-oracleFixed 13.0.7Fixed 15.0.3Fixed 16 b26Fixed 7u311Fixed 8u301Fixed openjdk8u302Fixed
Related Reports
CSR :  
JDK-8256502 - Remove root certificates with 1024-bit keys
Duplicate :  
JDK-8225071 - Remove two Digicert root certificates that are expiring in January 2021
Relates :  
JDK-8243493 - Tools shouldn't warn for weak algorithms in cacerts
Relates :  
JDK-8195793 - Remove GTE CyberTrust Global Root
Relates :  
JDK-8255402 - Warnings generated for JDK cacerts keystore
Sub Tasks
JDK-8256902 :  
Release Note: Removed Root Certificates with 1024-bit Keys - Closed
Description
There are 5 roots with 1024-bit keys in the JDK cacerts keystore. Their keystore aliases and Distinguished Names are as follows:

1. thawtepremiumserverca

EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

2. verisignclass2g2ca

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

3. verisignclass3ca

OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

4. verisignclass3g2ca

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

5. verisigntsaca

CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
Comments
Fix Request (OpenJDK 8u): Please approve backporting this to OpenJDK 8u (8u302). The JDK 11 patch applies clean after path shuffeling. VerifyCACerts test passes. This keeps JDKs in sync in terms of provided root certificates. CSR (approved; includes 8u): https://bugs.openjdk.java.net/browse/JDK-8262079
18-03-2021
Fix Request (11u) Should get backported for parity with 11.0.12-oracle. Doesn't apply cleanly. Review thread: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-March/005319.html webrev: http://cr.openjdk.java.net/~mdoerr/8243559_root_ca_11u/webrev.00/ Shared CSR: JDK-8262079
16-03-2021
Fix request (15u) the change applies to 15u very well. CSR is approved. The relevant tests run also as expected.
25-02-2021
Fix request (13u): I'd like to port this fix to 13u, too. Applied almost clean: no merging was necessary, and exception list in the test was not changed (soon-to-be-expired and now removed certificates never have been added there); all relevant tests run as expected.
20-02-2021
Changeset: dbfeb90d Author: Sean Mullan <mullan@openjdk.org> Date: 2020-11-24 18:14:05 +0000 URL: https://github.com/openjdk/jdk/commit/dbfeb90d
24-11-2020