Bug ID: JDK-8275252 Migrate cacerts from JKS to password-less PKCS12

JDK-8275252 : Migrate cacerts from JKS to password-less PKCS12

Type: Enhancement
Component: security-libs
Sub-Component: java.security

Priority: P3
Status: Resolved
Resolution: Fixed

Submitted: 2021-10-13
Updated: 2024-04-10
Resolved: 2021-10-19

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 18
18 b20Fixed

Related Reports

CSR :	JDK-8275253 - Migrate cacerts from JKS to password-less PKCS12
Relates :	JDK-8074426 - Add PKCS12 support for trust settings on root certificates
Relates :	JDK-8329950 - Update the store type created in TrustStoreDescriptor.createInstance

Sub Tasks

JDK-8275254 :	Release Note: Migrate cacerts From JKS to Password-Less PKCS12 - Closed
JDK-8275306 :	Remove the changeit password from keytool.html - Open

Description

The cacerts file contains builtin root CA certs in OpenJDK. It's now in JKS format and there are 2 problems:

1. JKS is an obsolete keystore type.
2. It's protected by a weak and well-known password "changeit".

We intend to migrate the file into a password-less PKCS12 file so that it can be continuously loaded with a null store password.

Comments

Changeset: bd2b41dd Author: Weijun Wang <weijun@openjdk.org> Date: 2021-10-19 20:48:17 +0000 URL: https://git.openjdk.java.net/jdk/commit/bd2b41dd7062c50f3aaebec2137d5fdd9546c120

19-10-2021