cacerts jlink plugin

XMLWordPrintable

    • Type: CSR
    • Resolution: Unresolved
    • Priority: P4
    • None
    • Component/s: security-libs
    • None
    • binary
    • minimal
    • Custom runtime will have fewer root certificates, but this is intentional.
    • add/remove/modify command line option
    • JDK

      Summary

      Add a jlink plugin which allows the user to specify the specific CA certificates it wants to include in the cacerts keystore in a custom runtime image. This can be very useful for creating runtimes that only contain the CA certificates that are needed by application(s) which will be using that custom runtime.

      Problem

      The cacerts keystore contains over 100 root certificates. While each of these allow applications to establish trust in certificates issued by these CAs, not all applications need all of the certificates. For example, a client which only accesses one server over TLS typically only needs the root certificate of the TLS server's certificate chain.

      Solution

      See specification.

      Specification

      Add the following plugin to the jlink man page:

      Plugin cacerts

Options
    --cacerts=alias[,alias]* 
Description
    Create the cacerts keystore in the output image with the certificates of the specified
    aliases only. alias is the name of an alias in the cacerts keystore.

            Assignee:
            Sean Mullan
            Reporter:
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated: