RFR 8189131: Open-source the Oracle JDK Root Certificates

Volker Simonis volker.simonis at gmail.com
Tue Dec 5 08:44:37 UTC 2017

On Tue, Dec 5, 2017 at 9:19 AM, Magnus Ihse Bursie
<magnus.ihse.bursie at oracle.com> wrote:
> On 2017-12-01 18:16, Volker Simonis wrote:
>> Hi Rajan,
>> great to see this finally happen!
>> I have just a quick question related to the tests. As far as I can
>> see, the tests will only succeed if the OpenJDK will be build with the
>> new open sourced, Oracle root certificates. But what if somebody is
>> building the OpenJDK with his own set of root certificates (by using
>> the --with-cacerts-file option)? Do you see any possibility of
>> restricting these tests only to builds which used the original,
>> checked in cacerts file?
> My question is if the --with-cacerts-file option is still relevant after
> this? I see a good chance of simplifying some build logic here. :-)

I think the folks from the AdoptOpenJDK project are using this option
(CC-ed adoption-discuss). I'm not sure if they want to drop their root
certificates in favor of the new ones.

It general I think it would be useful to have something like
"--add-cacerts-file" which will merge in additional certificates
although this will most certainly complicate the build logic :)


> /Magnus
>> Regards,
>> Volker
>> On Fri, Dec 1, 2017 at 5:54 PM, Rajan Halade <rajan.halade at oracle.com>
>> wrote:
>>> May I request for your review of this fix to open source the root
>>> certificates in Oracle's Java SE Root CA program. The fix is to populate
>>> cacerts keystore with root certificates and add corresponding tests for
>>> it
>>> as per the test plan outlined at JDK-8191711. interoperability tests are
>>> added against CAs with available test certificates.
>>> Webrev: http://cr.openjdk.java.net/~rhalade/8189131/webrev.00/
>>> JEP: https://bugs.openjdk.java.net/browse/JDK-8191486
>>> Thanks,
>>> Rajan

More information about the build-dev mailing list