JDK-8339194 : Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 8-pool,11-pool,17-pool,21-pool,23-pool,24
  • Submitted: 2024-08-28
  • Updated: 2024-09-05
  • Resolved: 2024-08-30
Related Reports
CSR :  
JDK-8337664 - Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
Relates :  
JDK-8339534 - Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
Description
Summary
-------

Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs.

Problem
-------

[Google](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html) have previously announced they will distrust Entrust root CAs issued after October 31, 2024. [Mozilla](https://web.archive.org/web/20240804072941/https:/groups.google.com/a/mozilla.org/g/dev-security-policy/c/jCvkhBjg9Yw) have also announced that they will distrust Entrust root CAs issued after November 30, 2024.

Solution
--------

The JDK will stop trusting TLS server certificates issued after October 2024 and anchored by Entrust Root. Certificates, in line with similar plans recently announced by Google and Mozilla. 

TLS server certificates issued on or before October 31, 2024 will continue to be trusted until they expire. Certificates issued after that date will be rejected.

The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after October 31 of 2024.

An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:

"TLS server certificate issued after 2024-10-31 and anchored by a distrusted legacy Entrust root CA:
CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net"

Specification
--------

The policy will be enabled by adding ENTRUST_TLS to the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration file. If enabled, this policy is enforced by the PKIX and SunX509 TrustManager implementations of the SunJSSE provider implementation.

There are nine Entrust distrusted roots (AffirmTrust are also Entrust CAs):

- cacerts alias: entrustevca

   DN: CN=Entrust Root Certification Authority,
    OU=(c) 2006 Entrust, Inc.,
    OU=www.entrust.net/CPS is incorporated by reference,
    O=Entrust, Inc., C=US

- cacerts alias: entrustrootcaec1

   DN: CN=Entrust Root Certification Authority - EC1,
    OU=(c) 2012 Entrust, Inc. - for authorized use only,
    OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

- cacerts alias: entrustrootcag2

   DN: CN=Entrust Root Certification Authority - G2,
    OU=(c) 2009 Entrust, Inc. - for authorized use only,
    OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

- cacerts alias: entrustrootcag4

   DN: CN=Entrust Root Certification Authority - G4 
    OU=(c) 2015 Entrust, Inc. - for authorized use only,
    OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US,

- cacerts alias: entrust2048ca

   DN: CN=Entrust.net Certification Authority (2048),
    OU=(c) 1999 Entrust.net Limited,
    OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
    O=Entrust.net

- cacerts alias: affirmtrustcommercialca

   DN: CN=AffirmTrust Commercial, O=AffirmTrust, C=US

- cacerts alias: affirmtrustnetworkingca

   DN: CN=AffirmTrust Networking, O=AffirmTrust, C=US

- cacerts alias: affirmtrustpremiumca

   DN: CN=AffirmTrust Premium, O=AffirmTrust, C=US

- cacerts alias: affirmtrustpremiumeccca

   DN: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
Comments
Moving to Approved.
30-08-2024