-
Sub-task
-
Resolution: Delivered
-
P3
-
7u441, 8u431, 11.0.25-oracle, 17.0.13-oracle, 21.0.5-oracle, 23.0.1, 24
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8339688 | 23.0.1 | Marc Palmerjohnson | P3 | Resolved | Delivered | |
| JDK-8339689 | 21.0.5-oracle | Marc Palmerjohnson | P3 | Resolved | Delivered | |
| JDK-8339690 | 17.0.13-oracle | Marc Palmerjohnson | P3 | Resolved | Delivered | |
| JDK-8339691 | 11.0.25-oracle | Marc Palmerjohnson | P3 | Resolved | Delivered | |
| JDK-8339693 | 8u431 | Marc Palmerjohnson | P3 | Resolved | Delivered | |
| JDK-8339692 | 7u441 | Marc Palmerjohnson | P3 | Resolved | Delivered |
The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.
TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.
The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.
An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:
```
TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
```
If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration file.
The restrictions are imposed on the following Entrust Root certificates included in the JDK:
<table border="1" cellpadding="1" cellspacing="1" style="width:500px;" summary="Root Certificates distrusted after 2024-11-11">
<caption>Root Certificates distrusted after 2024-11-11</caption>
<thead>
<tr>
<th scope="col">Distinguished Name</th>
<th scope="col">SHA-256 Fingerprint</th>
</tr>
</thead>
<tbody>
<tr>
<td>CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US</td>
<td>
<p>73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C</p>
</td>
</tr>
<tr>
<td>CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US</td>
<td>
<p>02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5</p>
</td>
</tr>
<tr>
<td>CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US</td>
<td>
<p>43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39</p>
</td>
</tr>
<tr>
<td>CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US</td>
<td>
<p>DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88</p>
</td>
</tr>
<tr>
<td>CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net</td>
<td>
<p>6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77</p>
</td>
</tr>
<tr>
<td>CN=AffirmTrust Commercial, O=AffirmTrust, C=US</td>
<td>
<p>03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7</p>
</td>
</tr>
<tr>
<td>CN=AffirmTrust Networking, O=AffirmTrust, C=US</td>
<td>
<p>0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B</p>
</td>
</tr>
<tr>
<td>CN=AffirmTrust Premium, O=AffirmTrust, C=US</td>
<td>
<p>70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A</p>
</td>
</tr>
<tr>
<td>CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US</td>
<td>
<p>BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23</p>
</td>
</tr>
</tbody>
</table>
You can also use the `keytool` utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.
TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.
The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.
An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:
```
TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
```
If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration file.
The restrictions are imposed on the following Entrust Root certificates included in the JDK:
<table border="1" cellpadding="1" cellspacing="1" style="width:500px;" summary="Root Certificates distrusted after 2024-11-11">
<caption>Root Certificates distrusted after 2024-11-11</caption>
<thead>
<tr>
<th scope="col">Distinguished Name</th>
<th scope="col">SHA-256 Fingerprint</th>
</tr>
</thead>
<tbody>
<tr>
<td>CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US</td>
<td>
<p>73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C</p>
</td>
</tr>
<tr>
<td>CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US</td>
<td>
<p>02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5</p>
</td>
</tr>
<tr>
<td>CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US</td>
<td>
<p>43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39</p>
</td>
</tr>
<tr>
<td>CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US</td>
<td>
<p>DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88</p>
</td>
</tr>
<tr>
<td>CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net</td>
<td>
<p>6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77</p>
</td>
</tr>
<tr>
<td>CN=AffirmTrust Commercial, O=AffirmTrust, C=US</td>
<td>
<p>03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7</p>
</td>
</tr>
<tr>
<td>CN=AffirmTrust Networking, O=AffirmTrust, C=US</td>
<td>
<p>0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B</p>
</td>
</tr>
<tr>
<td>CN=AffirmTrust Premium, O=AffirmTrust, C=US</td>
<td>
<p>70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A</p>
</td>
</tr>
<tr>
<td>CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US</td>
<td>
<p>BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23</p>
</td>
</tr>
</tbody>
</table>
You can also use the `keytool` utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.
- backported by
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- relates to
-
JDK-8341059 Change Entrust TLS distrust date to November 12, 2024
-
- Resolved
-
(1 backported by, 1 relates to)