-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
minimal
-
-
System or security property
-
JDK
Summary
Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs.
Problem
Google have previously announced they will distrust Entrust root CAs issued after October 31, 2024. Mozilla have also announced that they will distrust Entrust root CAs issued after November 30, 2024.
Solution
The JDK will stop trusting TLS server certificates issued after October 2024 and anchored by Entrust Root. Certificates, in line with similar plans recently announced by Google and Mozilla.
TLS server certificates issued on or before October 31, 2024 will continue to be trusted until they expire. Certificates issued after that date will be rejected.
The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after October 31 of 2024.
An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:
"TLS server certificate issued after 2024-10-31 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net"
Specification
The policy will be enabled by adding ENTRUST_TLS to the jdk.security.caDistrustPolicies
security property in the java.security
configuration file. If enabled, this policy is enforced by the PKIX and SunX509 TrustManager implementations of the SunJSSE provider implementation.
There are nine Entrust distrusted roots (AffirmTrust are also Entrust CAs):
cacerts alias: entrustevca
DN: CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US
cacerts alias: entrustrootcaec1
DN: CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
cacerts alias: entrustrootcag2
DN: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
cacerts alias: entrustrootcag4
DN: CN=Entrust Root Certification Authority - G4 OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US,
cacerts alias: entrust2048ca
DN: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
cacerts alias: affirmtrustcommercialca
DN: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
cacerts alias: affirmtrustnetworkingca
DN: CN=AffirmTrust Networking, O=AffirmTrust, C=US
cacerts alias: affirmtrustpremiumca
DN: CN=AffirmTrust Premium, O=AffirmTrust, C=US
cacerts alias: affirmtrustpremiumeccca
DN: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
- csr of
-
JDK-8337664 Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
-
- Resolved
-
- relates to
-
JDK-8339534 Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
-
- Closed
-