Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8256502

Remove root certificates with 1024-bit keys

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 16
    • security-libs
    • None
    • behavioral
    • minimal
    • Hide
      The vast majority of certificates issued by these CAs are now expired and very few, if any certificates are still being issued from these roots. It is possible that some signed and timestamped JARs may still be in use (allowing them to be used beyond the code signing certificate's expiration date), but this should not be a risk for JDK 16, as these are primarily for use cases which are deprecated or not supported in JDK 16, specifically applets and WebStart applications.
      Show
      The vast majority of certificates issued by these CAs are now expired and very few, if any certificates are still being issued from these roots. It is possible that some signed and timestamped JARs may still be in use (allowing them to be used beyond the code signing certificate's expiration date), but this should not be a risk for JDK 16, as these are primarily for use cases which are deprecated or not supported in JDK 16, specifically applets and WebStart applications.
    • Other
    • JDK

      Summary

      Remove root certificates with 1024-bit RSA public keys from the cacerts keystore.

      Problem

      There are 5 root certificates with 1024-bit RSA public keys in the system-wide cacerts keystore. These roots should be removed as the key size is weak.

      Solution

      Remove the following root certificates (keystore alias and Distinguished Name shown below) from the cacerts keystore:

      1. thawtepremiumserverca [jdk]

        EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

      2. verisignclass2g2ca [jdk]

        OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

      3. verisignclass3ca [jdk]

        OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

      4. verisignclass3g2ca [jdk]

        OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

      5. verisigntsaca [jdk]

        CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

      Specification

      The keystore aliases listed in the Solution section will be removed from the {java.home}/lib/security/cacerts file. Since this file is binary, it is not possible to show a diff. The following files containing the certificates will be deleted from the JDK source code:

      • make/data/cacerts/thawtepremiumserverca
      • make/data/cacerts/verisignclass2g2ca
      • make/data/cacerts/verisignclass3ca
      • make/data/cacerts/verisignclass3g2ca
      • make/data/cacerts/verisigntsaca

            mullan Sean Mullan
            mullan Sean Mullan
            Valerie Peng
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: