Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8262079

Remove root certificates with 1024-bit keys

XMLWordPrintable

    • behavioral
    • minimal
    • Hide
      The vast majority of certificates issued by these CAs are now expired and very few, if any certificates are still being issued from these roots. It is possible that some signed and timestamped JARs may still be in use (allowing them to be used beyond the code signing certificate's expiration date), but this should not be a risk even for JDK 13, as these are primarily for use cases which are deprecated or not supported in JDK 13, specifically applets and WebStart applications.
      Show
      The vast majority of certificates issued by these CAs are now expired and very few, if any certificates are still being issued from these roots. It is possible that some signed and timestamped JARs may still be in use (allowing them to be used beyond the code signing certificate's expiration date), but this should not be a risk even for JDK 13, as these are primarily for use cases which are deprecated or not supported in JDK 13, specifically applets and WebStart applications.
    • Other
    • JDK

      Summary

      Remove root certificates with 1024-bit RSA public keys from the cacerts keystore.

      Problem

      There are 5 root certificates with 1024-bit RSA public keys in the system-wide cacerts keystore. These roots should be removed as the key size is weak.

      Solution

      Remove the following root certificates (keystore alias and Distinguished Name shown below) from the cacerts keystore:

      thawtepremiumserverca [jdk]

EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

verisignclass2g2ca [jdk]

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

verisignclass3ca [jdk]

OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

verisignclass3g2ca [jdk]

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

verisigntsaca [jdk]

CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

      Specification

      The keystore aliases listed in the Solution section will be removed from the {java.home}/lib/security/cacerts file. Since this file is binary, it is not possible to show a diff. The following files containing the certificates will be deleted from the JDK source code:

      make/data/cacerts/thawtepremiumserverca
make/data/cacerts/verisignclass2g2ca
make/data/cacerts/verisignclass3ca
make/data/cacerts/verisignclass3g2ca
make/data/cacerts/verisigntsaca

            yan Yuri Nesterenko
            mullan Sean Mullan
            Christoph Langer
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: