Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8347738

Distrust TLS server certificates anchored by Camerfirma Root CAs

XMLWordPrintable

    • behavioral
    • minimal
    • This is in line with similar plans that have been previously announced by Google, Mozilla, Apple, and Microsoft. Also, Camerfirma have informed us that they have stopped issuing TLS certificates from these roots since 2021.
    • System or security property
    • JDK

      Summary

      Distrust TLS server certificates issued after April 15, 2025 and anchored by Camerfirma Root CAs.

      Problem

      TLS server certificates anchored by Camerfirma Root CAs are distrusted or distrusted after a specific date by Google [1], Mozilla [2], Apple [3], and Microsoft [4, 5].

      [1] https://groups.google.com/g/mozilla.dev.security.policy/c/dSeD3dgnpzk/m/iAUwcFioAQAJ [2] https://groups.google.com/g/mozilla.dev.security.policy/c/PnAAWnxyosM/m/cImb78jnBAAJ [3] https://support.apple.com/en-us/121668 [4] https://learn.microsoft.com/en-us/security/trusted-root/2023/feb2023 [5] https://learn.microsoft.com/en-us/security/trusted-root/2024/feb2024

      Solution

      The JDK will stop trusting TLS server certificates issued after April 15, 2025 and anchored by Camerfirma Root Certificates, in line with similar plans announced by Google, Mozilla, Apple, and Microsoft.

      TLS server certificates issued on or before April 15, 2025 will continue to be trusted until they expire. Certificates issued after that date will be rejected.

      The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the list below and the certificate has been issued after April 15 of 2025.

      An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:

      "TLS server certificate issued after 2025-04-15 and anchored by a distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU"

      Specification

      The policy will be enabled by adding CAMERFIRMA_TLS to the jdk.security.caDistrustPolicies security property in the java.security configuration file. If enabled, this policy is enforced by the PKIX and SunX509 TrustManager implementations of the SunJSSE provider implementation.

      There are three Camerfirma roots that will be distrusted:

      • cacerts alias: camerfirmachamberscommerceca

        DN: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU

      • cacerts alias: camerfirmachambersca

        DN: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

      • cacerts alias: camerfirmachambersignca

        DN: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

            mpowers Mark Powers
            mullan Sean Mullan
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: