Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8260722

Remove root certificates with 1024-bit keys

    XMLWordPrintable

    Details

    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Hide
      The vast majority of certificates issued by these CAs are now expired and very few, if any certificates are still being issued from these roots. It is possible that some signed and timestamped JARs may still be in use (allowing them to be used beyond the code signing certificate's expiration date) in applet/JWS technology for JDK 8u. The release note will advise end users to re-sign their applications with better root certificates where necessary.
      Show
      The vast majority of certificates issued by these CAs are now expired and very few, if any certificates are still being issued from these roots. It is possible that some signed and timestamped JARs may still be in use (allowing them to be used beyond the code signing certificate's expiration date) in applet/JWS technology for JDK 8u. The release note will advise end users to re-sign their applications with better root certificates where necessary.

      Description

      Summary

      Remove root certificates with 1024-bit RSA public keys from the cacerts keystore.

      Please refer to https://bugs.openjdk.java.net/browse/JDK-8256502; this is a clone CSR for the JDK 7u/8u/11u backports that are in progress.

      Problem

      In JDK 7u/JDK 8u, there are currently 6 root certificates with 1024-bit RSA public keys in the system-wide cacerts keystore. In JDK 11u, there are 5. These roots should be removed as the key size is weak.

      Solution

      Remove the following root certificates (keystore alias and Distinguished Name shown below) from the cacerts keystore:

      1. thawtepremiumserverca [jdk]

        EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

      2. verisignclass2g2ca [jdk]

        OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

      3. verisignclass3ca [jdk]

        OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

      4. verisignclass3g2ca [jdk]

        OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

      5. verisigntsaca [jdk]

        CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

      In addition to the above, JDK 7u/JDK 8u will also have this root certificate removed:

      1. gtecybertrustglobalca [jdk]

        CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US

      Specification

      The keystore aliases listed in the Solution section will be removed from the {java.home}/lib/security/cacerts file. Since this file is binary, it is not possible to show a diff.

      In JDK 11u, the following files containing the certificates will be deleted from the JDK source code:

      • make/data/cacerts/thawtepremiumserverca
      • make/data/cacerts/verisignclass2g2ca
      • make/data/cacerts/verisignclass3ca
      • make/data/cacerts/verisignclass3g2ca
      • make/data/cacerts/verisigntsaca

      In JDK 7u/ JDK 8u, the binary equivalent of the 6 certificates will be removed from the cacerts file.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              coffeys Sean Coffey
              Reporter:
              mullan Sean Mullan
              Reviewed By:
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: