JDK-8367403 : java.security jdkCA documentation assumes use of cacerts file
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 17,21,25,26
  • Priority: P4
  • Status: Open
  • Resolution: Unresolved
  • Submitted: 2025-09-11
  • Updated: 2025-09-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
tbdUnresolved
Related Reports
Relates :  
JDK-8154005 - Add algorithm constraint that specifies the restriction date
Description
src/java.base/share/conf/security/java.security

===
#   CAConstraint:
#     jdkCA
#       This constraint prohibits the specified algorithm only if the
#       algorithm is used in a certificate chain that terminates at a marked
#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
#       constraint is not set, then all chains using the specified algorithm
#       are restricted.  jdkCA may only be used once in a DisabledAlgorithm
#       expression.
===

the lib/security/cacerts file may not exist in some JDK distributions. For some applications, no use of cacerts is made and the store pointed to by the "javax.net.ssl.trustStore" system property is used. I think it might be good to update the doc with respect to this.