JDK-8350498 : Remove two Camerfirma root CA certificates
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 25
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2025-02-21
  • Updated: 2025-07-18
  • Resolved: 2025-04-30
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 17 JDK 21 JDK 24 JDK 25 JDK 7 JDK 8 Other
11.0.28-oracleFixed 17.0.16-oracleFixed 21.0.8-oracleFixed 24.0.2Fixed 25 b21Fixed 7u471Fixed 8u461Fixed openjdk8u472,shenandoah8u462Fixed
Related Reports
Relates :  
JDK-8346587 - Distrust TLS server certificates anchored by Camerfirma Root CAs
Relates :  
JDK-8303770 - Remove Baltimore root certificate expiring in May 2025
Sub Tasks
JDK-8355325 :  
Release Note: Removed Two Camerfirma Root Certificates - Resolved
Description
Camerfirma has confirmed that the following root CA certificates are terminated and are no longer active:

1. CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
2. CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
Comments
[jdk8u-critical-request] Approval Request from Antonio Vieiro Please consider approving this backport from JDK11 that removes two no-longer active CA certificates. Would be good to have it in 2025/07. Tests pass. Low risk.
03-06-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk8u/pull/73 Date: 2025-06-03 08:50:20 +0000
03-06-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk8u-dev/pull/651 Date: 2025-05-12 14:59:44 +0000
03-06-2025
[jdk8u-fix-request] Approval Request from Antonio Vieiro Please approve this backport that removes two no-longer active CA certificates. Tests pass. Low risk.
02-06-2025
[jdk11u-fix-request] Approval Request from Antonio Vieiro Please approve this backport to JDK-11 that removes two root CA certificates that are no longer active. Tests pass. Low risk. Tagged as CPU25_07-critical-approved.
08-05-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk11u-dev/pull/3032 Date: 2025-05-08 15:55:08 +0000
08-05-2025
Fix request [21u,17u] I backport this for parity with 21.0.8-oracle,17.0.16-oracle. One of the required updates of meta information. Clean backport to 21, some adaptions in 17. Tests pass. SAP nightly testing passed.
08-05-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk17u-dev/pull/3557 Date: 2025-05-07 08:49:18 +0000
07-05-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u-dev/pull/1750 Date: 2025-05-07 08:34:35 +0000
07-05-2025
[jdk24u-fix-request] Approval Request from Rajan Halade Removal request of two camerfirma root certificates which are no longer in use. The patch applies cleanly and has good test coverage.
30-04-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk24u/pull/213 Date: 2025-04-30 18:21:28 +0000
30-04-2025
Changeset: 1313349a Branch: master Author: Rajan Halade <rhalade@openjdk.org> Date: 2025-04-30 18:14:10 +0000 URL: https://git.openjdk.org/jdk/commit/1313349a2efd42ab84a543dfee11e3547f6ef4a3
30-04-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/24800 Date: 2025-04-22 20:27:04 +0000
22-04-2025