-
Type:
Sub-task
-
Resolution: Delivered
-
Priority:
P4
-
Affects Version/s: 27
-
Component/s: security-libs
The JDK will stop trusting TLS server certificates issued after March 17, 2026 and anchored by Chunghwa root certificates, in line with similar plans announced by Google and Mozilla.
TLS server certificates issued on or before March 17, 2026 will continue to be trusted until they expire. Certificates issued after that date, and anchored by the Certificate Authority listed in the table below, will be rejected.
The restrictions are enforced in the JDK implementation (the `SunJSSE` Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after March 17, 2026.
An application will receive an exception with a message indicating the trust anchor is not trusted, for example:
```
"TLS Server certificate issued after 2026-03-17 and anchored by a distrusted legacy Chunghwa root CA: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd." C=TW"
```
The JDK can be configured to trust these certificates again by removing "CHUNGHWA_TLS" from the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration file.
The restrictions are imposed on the following Chunghwa Root certificates included in the JDK:
<table border="1" cellpadding="1" cellspacing="1" style="width:500px;" summary="Root Certificates distrusted after 2026-03-17">
<caption>Root Certificates distrusted after 2026-03-17</caption>
<thead>
<tr>
<th scope="col">Distinguished Name</th>
<th scope="col">SHA-256 Fingerprint</th>
</tr>
</thead>
<tbody>
<tr>
<td>OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW</td>
<td>
<p> C0:A6:F4:DC:63:A2:4B:FD:CF:54:EF:2A:6A:08:2A:0A:72:DE:35:80:3E:2F:F5:FF:52:7A:E5:D8:72:06:DF:D5 </p>
</td>
</tr>
</td>
</tr>
</tbody>
</table>
You can also use the `keytool` utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server
TLS server certificates issued on or before March 17, 2026 will continue to be trusted until they expire. Certificates issued after that date, and anchored by the Certificate Authority listed in the table below, will be rejected.
The restrictions are enforced in the JDK implementation (the `SunJSSE` Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after March 17, 2026.
An application will receive an exception with a message indicating the trust anchor is not trusted, for example:
```
"TLS Server certificate issued after 2026-03-17 and anchored by a distrusted legacy Chunghwa root CA: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd." C=TW"
```
The JDK can be configured to trust these certificates again by removing "CHUNGHWA_TLS" from the `jdk.security.caDistrustPolicies` security property in the `java.security` configuration file.
The restrictions are imposed on the following Chunghwa Root certificates included in the JDK:
<table border="1" cellpadding="1" cellspacing="1" style="width:500px;" summary="Root Certificates distrusted after 2026-03-17">
<caption>Root Certificates distrusted after 2026-03-17</caption>
<thead>
<tr>
<th scope="col">Distinguished Name</th>
<th scope="col">SHA-256 Fingerprint</th>
</tr>
</thead>
<tbody>
<tr>
<td>OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW</td>
<td>
<p> C0:A6:F4:DC:63:A2:4B:FD:CF:54:EF:2A:6A:08:2A:0A:72:DE:35:80:3E:2F:F5:FF:52:7A:E5:D8:72:06:DF:D5 </p>
</td>
</tr>
</td>
</tr>
</tbody>
</table>
You can also use the `keytool` utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server