JDK-8303770 : Remove Baltimore root certificate expiring in May 2025
  • Type: Task
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version:
    7u471,8u461,11.0.28,17.0.16,21.0.8,24.0.2,25 7u471,8u461,11.0.28,17.0.16,21.0.8,24.0.2,25
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2023-03-07
  • Updated: 2025-07-18
  • Resolved: 2025-03-12
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 17 JDK 21 JDK 24 JDK 25 JDK 7 JDK 8 Other
11.0.28-oracleFixed 17.0.16-oracleFixed 21.0.8-oracleFixed 24.0.2Fixed 25 b14Fixed 7u471Fixed 8u461Fixed openjdk8u472,shenandoah8u462Fixed
Related Reports
Relates :  
JDK-8350498 - Remove two Camerfirma root CA certificates
Sub Tasks
JDK-8351686 :  
Release Note: Removed Baltimore CyberTrust Root Certificate After Expiry Date - Resolved
Description
baltimorecybertrustca [jdk]	
Expiry Date: 2025-05-12	
CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Comments
[jdk8u-critical-request] Approval Request from Antonio Vieiro Please consider approving this backport from 11 that removes a CA certificate expiring in May 2025, so it's included in the next 2025/07 release. Tested in RHEL8, x86_64, gcc8.5.0. Low risk.
03-06-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk8u/pull/72 Date: 2025-06-03 07:23:05 +0000
03-06-2025
[jdk8u-fix-request] Approval Request from Antonio Vieiro please Approve this PR that removes a CA certificate that is expiring in May, it would be great if we could get this merged for the 2025-07 release.
02-06-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk8u-dev/pull/650 Date: 2025-05-09 15:11:28 +0000
09-05-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk11u-dev/pull/3018 Date: 2025-03-28 14:17:05 +0000
28-03-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk17u-dev/pull/3367 Date: 2025-03-17 10:45:35 +0000
17-03-2025
Fix request [17u] I backport this for parity with 17.0.16-oracle. One of the required updates of meta information. I had to adapt the change to 17. Test passes.
17-03-2025
Yes, you're right. I was thinking of cases like JDK-8346587 where the certificate needs to be distrusted after a certain date, rather than a removal. The Baltimore certificate will become invalid during the lifetime of the April updates and should be removable without issue in July. Thanks for the explanation.
15-03-2025
It is better not to remove it before it expires just in case there are unexpired certificates issued from it. In fact we retain some expired roots that have issued code signing certificates so that code timestamped prior to the expiration date can still be validated.
13-03-2025
If the certificate expires in May, should this not go in the April update?
13-03-2025
Fix Request (OpenJDK 21u): Clean patch to remove an expired certificate. Oracle 21.0.8 parity request to backport to OpenJDK 21u. Should be low risk. Test shows the warning about the expired cert before the patch and is gone after.
13-03-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u-dev/pull/1480 Date: 2025-03-12 20:21:22 +0000
12-03-2025
[jdk24u-fix-request] Approval Request from Rajan Halade The fix is to remove expired root CA certificate. The patch applies cleanly and has good test coverage. This fix is to be included in JDK 24.0.2 release.
12-03-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk24u/pull/131 Date: 2025-03-12 17:23:36 +0000
12-03-2025
Changeset: 23716967 Branch: master Author: Rajan Halade <rhalade@openjdk.org> Date: 2025-03-12 17:19:41 +0000 URL: https://git.openjdk.org/jdk/commit/2371696781edc040d8fa8133c78b284a2e3de1ed
12-03-2025
[~sgehwolf] Thanks for the reminder, I have posted the review for JDK 25. The test failure was updated to warning with JDK-8282201.
11-03-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/23992 Date: 2025-03-11 17:28:17 +0000
11-03-2025
[~rhalade] Is this something you plan to work on? We see VerifyCACerts.java test failing due to this CA cert expiring within 90 days (in JDK 8). For JDK head it's a warning: ----------System.err:(4/145)---------- WARNING: cert "baltimorecybertrustca [jdk]" expiry "Tue May 13 01:59:00 CEST 2025" will expire within 90 days
11-03-2025