The Oracle JDK will no longer accept 3rd Party cryptographic providers signed with certificates issued by the old (expired) Sun JCE CA root certificate.

The Sun JCE Certificate Authority issued code-signing certificates to customers so they can create third-party JCE cryptographic providers for use in the JDK (and the Sun/Oracle JDK-derived distributions). This Authority was taken over by Oracle, and in 2016 a newer, stronger root certificate was created to anchor newly issued certificates.

Such errors might appear as:

    java.lang.SecurityException: JCE cannot authenticate the provider MyProvider
    ...
    Caused by: java.util.jar.JarException: MyProvider.jar is not signed by a trusted signer.

These older certificates can often be identified by the `OU=Java Software Code Signing` field in the certificate used to sign the jar file:

    % jarsigner -verify -verbose -certs MyProvider.jar

         941 Tue Feb 05 18:15:34 PST 2013 META-INF/MANIFEST.MF
         ...deleted...
        - Signed by "CN=Oracle Corporation, OU=Java Software Code Signing, O=Sun Microsystems Inc"

The older certificates issued by the Sun JCE CA expired in 2021 at the latest, and should be reissued using the new Oracle CA.