Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8260722

Remove root certificates with 1024-bit keys

XMLWordPrintable

    • behavioral
    • minimal
    • Hide
      The vast majority of certificates issued by these CAs are now expired and very few, if any certificates are still being issued from these roots. It is possible that some signed and timestamped JARs may still be in use (allowing them to be used beyond the code signing certificate's expiration date) in applet/JWS technology for JDK 8u. The release note will advise end users to re-sign their applications with better root certificates where necessary.
      Show
      The vast majority of certificates issued by these CAs are now expired and very few, if any certificates are still being issued from these roots. It is possible that some signed and timestamped JARs may still be in use (allowing them to be used beyond the code signing certificate's expiration date) in applet/JWS technology for JDK 8u. The release note will advise end users to re-sign their applications with better root certificates where necessary.

      Summary

      Remove root certificates with 1024-bit RSA public keys from the cacerts keystore.

      Please refer to https://bugs.openjdk.java.net/browse/JDK-8256502; this is a clone CSR for the JDK 7u/8u/11u backports that are in progress.

      Problem

      In JDK 7u/JDK 8u, there are currently 6 root certificates with 1024-bit RSA public keys in the system-wide cacerts keystore. In JDK 11u, there are 5. These roots should be removed as the key size is weak.

      Solution

      Remove the following root certificates (keystore alias and Distinguished Name shown below) from the cacerts keystore:

      1. thawtepremiumserverca [jdk]

        EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

      2. verisignclass2g2ca [jdk]

        OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

      3. verisignclass3ca [jdk]

        OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

      4. verisignclass3g2ca [jdk]

        OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

      5. verisigntsaca [jdk]

        CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

      In addition to the above, JDK 7u/JDK 8u will also have this root certificate removed:

      1. gtecybertrustglobalca [jdk]

        CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US

      Specification

      The keystore aliases listed in the Solution section will be removed from the {java.home}/lib/security/cacerts file. Since this file is binary, it is not possible to show a diff.

      In JDK 11u, the following files containing the certificates will be deleted from the JDK source code:

      • make/data/cacerts/thawtepremiumserverca
      • make/data/cacerts/verisignclass2g2ca
      • make/data/cacerts/verisignclass3ca
      • make/data/cacerts/verisignclass3g2ca
      • make/data/cacerts/verisigntsaca

      In JDK 7u/ JDK 8u, the binary equivalent of the 6 certificates will be removed from the cacerts file.

            coffeys Sean Coffey
            mullan Sean Mullan
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: