JDK-8255402 : Warnings generated for JDK cacerts keystore
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8u271
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • Submitted: 2020-10-26
  • Updated: 2021-01-14
  • Resolved: 2021-01-14
Related Reports
Relates :  
JDK-8243493 - Tools shouldn't warn for weak algorithms in cacerts
Relates :  
JDK-8243559 - Remove root certificates with 1024-bit keys
Relates :  
JDK-8172404 - Tools should warn if weak algorithms are used before restricting them
Description
../../bin/keytool -list -keystore cacerts

Warning:
<verisignclass2g2ca [jdk]> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
<verisigntsaca [jdk]> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
<gtecybertrustglobalca [jdk]> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
<verisignclass3g2ca [jdk]> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
<thawtepremiumserverca [jdk]> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
<verisignclass3ca [jdk]> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
Comments
Expected behaviour since the warning changes were introduced via JDK-8172404 Perhaps - we can improve documentation in this area. release note: https://www.oracle.com/java/technologies/javase/8u271-relnotes.html#JDK-8172404
10-11-2020
The included certs are legacy certs maintained for legacy applications. Any application using such certs should be updated and re-signed with newer certificates.
10-11-2020
This one seems to be duplicate of JDK-8243493.
26-10-2020