Summary

Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs.

Problem

Google have previously announced they will distrust Entrust root CAs issued after October 31, 2024. Mozilla have also announced that they will distrust Entrust root CAs issued after November 30, 2024.

Solution

The JDK will stop trusting TLS server certificates issued after October 2024 and anchored by Entrust Root. Certificates, in line with similar plans recently announced by Google and Mozilla.

TLS server certificates issued on or before October 31, 2024 will continue to be trusted until they expire. Certificates issued after that date will be rejected.

The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after October 31 of 2024.

An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:

"TLS server certificate issued after 2024-10-31 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net"

Specification

The policy will be enabled by adding ENTRUST_TLS to the jdk.security.caDistrustPolicies security property in the java.security configuration file. If enabled, this policy is enforced by the PKIX and SunX509 TrustManager implementations of the SunJSSE provider implementation.

There are nine Entrust distrusted roots (AffirmTrust are also Entrust CAs):

• cacerts alias: entrustevca

  DN: CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US

• cacerts alias: entrustrootcaec1

  DN: CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

• cacerts alias: entrustrootcag2

  DN: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

• cacerts alias: entrustrootcag4

  DN: CN=Entrust Root Certification Authority - G4 OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US,

• cacerts alias: entrust2048ca

  DN: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

• cacerts alias: affirmtrustcommercialca

  DN: CN=AffirmTrust Commercial, O=AffirmTrust, C=US

• cacerts alias: affirmtrustnetworkingca

  DN: CN=AffirmTrust Networking, O=AffirmTrust, C=US

• cacerts alias: affirmtrustpremiumca

  DN: CN=AffirmTrust Premium, O=AffirmTrust, C=US

• cacerts alias: affirmtrustpremiumeccca

  DN: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US