Missing root CAs in cacerts
andreas at ahlenstorf.ch
Thu May 14 17:44:53 UTC 2020
At AdoptOpenJDK, we get support requests because root CAs are missing from the bundled cacerts file (lib/security/cacerts). We ship the same cacerts file as OpenJDK. As a result, our users cannot connect to various servers using Java's built-in APIs while their browsers can. An example URL that fails is https://api.insee.fr/catalogue/ (root CA: Certigna).
Replacing the bundled cacerts file with one generated from Mozilla's list of trusted CAs  fixes the problem.  contains the full analysis based on OpenJDK 14.0.1 including an executable test case.
* Does OpenJDK want to do something about that?
* Is there interest for a collaboration in that area, especially by other distributors of OpenJDK like Azul, BellSoft?
>From a end user's perspective, it is inscrutable why it is possible to connect to a website using their browser, curl, but not Java. While there might be some differences because of policy, OpenJDK should strive to match the browser's list of trusted CAs a closely as possible. As of OpenJDK 14.0.1, cacerts contains 93 entries while Mozilla's list contains 138.
More information about the jdk-dev