The Oracle JDK will no longer accept 3rd Party cryptographic providers signed with certificates issued by the old (expired) Sun JCE CA root certificate.

The Sun JCE Certificate Authority issued code-signing certificates to customers so they can create third-party JCE cryptographic providers for use in the JDK (and the Sun/Oracle JDK-derived distributions). This Authority was taken over by Oracle, and in 2016 a newer, stronger root certificate was created to anchor newly issued certificates.

Provider jars signed using certificates issued by the old Sun JCE CA may encounter the following error:

    java.lang.SecurityException: JCE cannot authenticate the provider MyProvider
    ...
    Caused by: java.util.jar.JarException: MyProvider.jar is not signed by a trusted signer.

These older certificates can often be identified by the `O=Sun Microsystems Inc` field in the certificate used to sign the jar file:

    % jarsigner -verify -verbose -certs MyProvider.jar

         941 Tue Feb 05 18:15:34 PST 2013 META-INF/MANIFEST.MF
         ...deleted...
        - Signed by "CN=Your Company, OU=Java Software Code Signing, O=Sun Microsystems Inc"

The older certificates issued by the Sun JCE CA expired in 2021 at the latest, and should be reissued using the new Oracle CA.