Bug ID: JDK-8348690 Release Note: Distrust TLS Server Certificates Anchored by Camerfirma Root Certificates and Issued After April 15, 2025

Type: Sub-task
Component: security-libs
Sub-Component: javax.net.ssl
Affected Version:
7u461,8u451,11.0.27-oracle,17.0.15-oracle,21.0.7-oracle,24.0.1,25 7u461,8u451,11.0.27-oracle,17.0.15-oracle,21.0.7-oracle,24.0.1,25

Priority: P3
Status: Resolved
Resolution: Delivered

Submitted: 2025-01-27
Updated: 2025-02-17
Resolved: 2025-01-29

JDK 11	JDK 17	JDK 21	JDK 24	JDK 25	JDK 7	JDK 8
11.0.27-oracleResolved	17.0.15-oracleResolved	21.0.7-oracleResolved	24.0.2Resolved	25Resolved	7u461Resolved	8u451Resolved

The JDK will stop trusting TLS server certificates issued after April 15, 2025 and anchored by Camerfirma root certificates, in line with similar plans announced by Google, Mozilla, Apple, and Microsoft.

TLS server certificates issued on or before April 15, 2025 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions are enforced in the JDK implementation (the `SunJSSE` Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after April 15, 2025.

An application will receive an exception with a message indicating the trust anchor is not trusted, for example:

```
"TLS Server certificate issued after 2025-04-15 and anchored by a distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU"
```

The JDK can be configured to trust these certificates again by removing "CAMERFIRMA_TLS" from the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration file.

The restrictions are imposed on the following Camerfirma Root certificates included in the JDK:

<table border="1" cellpadding="1" cellspacing="1" style="width:500px;" summary="Root Certificates distrusted after 2025-04-15">
<caption>Root Certificates distrusted after 2025-04-15</caption>
<thead>
<tr>
<th scope="col">Distinguished Name</th>
<th scope="col">SHA-256 Fingerprint</th>
</tr>
</thead>
<tbody>
<tr>
<td>CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU</td>
<td>
<p>0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3</p>
</td>
</tr>
<tr>
<td>CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU</td>
<td>
<p>06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0</p>
</td>
</tr>
<tr>
<td>CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU</td>
<td>
<p>13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA</p>
</td>
</tr>
</tbody>
</table>

You can also use the `keytool` utility from the JDK to print out details of the certificate chain, as follows:

    keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.

Hi [~mpowers], why is this targeted in parts to the April update(24, 11), other parts to the July update (21, 17)?

07-02-2025