RFR 8189131: Open-source the Oracle JDK Root Certificates

Weijun Wang weijun.wang at ORACLE.COM
Mon Dec 11 09:50:42 UTC 2017

> On Dec 8, 2017, at 10:45 PM, Volker Simonis <volker.simonis at gmail.com> wrote:
> OK, I've opened the RFR "JDK-8193255: Root Certificates should be
> stored in text format and assembled at build time" for this issue.

In fact, I would recommend we directly release cacerts as a text file containing PEM certificates, for these reasons:

- We are navigating away from JKS because it's not standard

- Certificates in PKCS12 requires a password to read

- I see no necessity for protecting cacerts, either for integrity or confidentiality, with a password

- A publicly known password is worse than no password

- Arbitrary comments (outside the ----BEGIN/END CERTIFICATE----- blocks) can be added as attributes


More information about the build-dev mailing list