[8u] Is it possible to bring root certificates to OpenJDK 8 [JEP319] ?

Langer, Christoph christoph.langer at sap.com
Mon Mar 25 07:22:34 UTC 2019

Hi Martijn,

as far as I understand the AdoptOpenJDK infrastructure, you have created a cacerts file from the Mozilla certificates which you are using in the AdoptOpenJDK 8 build via configure option [1]. Is that correct or am I missing something?

I was planning to bring the cacerts file from jdk/jdk down to 8 with the associated tests. Your build setup should still work then, I guess.

However, if somebody from AdoptOpenJDK wants to do the work of bringing it into OpenJDK8 updates, feel free. It’s not the very first thing on my todo list ��

Thanks & Best regards

[1] https://github.com/AdoptOpenJDK/openjdk-build/tree/master/security

From: Martijn Verburg <martijnverburg at gmail.com>
Sent: Freitag, 22. März 2019 20:38
To: Sean Mullan <sean.mullan at oracle.com>
Cc: Langer, Christoph <christoph.langer at sap.com>; jdk8u-dev at openjdk.java.net; OpenJDK Dev list <security-dev at openjdk.java.net>
Subject: Re: [8u] Is it possible to bring root certificates to OpenJDK 8 [JEP319] ?

FWIW - we backported these in the AdoptOpenJDK 8 builds and could provide a patch to upstream that change.


On Fri, 22 Mar 2019 at 19:35, Sean Mullan <sean.mullan at oracle.com<mailto:sean.mullan at oracle.com>> wrote:
Hi Christoph,

On 3/21/19 6:20 AM, Langer, Christoph wrote:
> Hi,
> I recently came across a scenario where I wanted to use a self-built OpenJDK 8 in a maven build and it could not download artefacts due to missing root certificates. I helped myself by replacing the cacerts with some other version from a later OpenJDK and came over the issue. However, I’ve asked myself whether it was possible/worthwhile to get the root certificates also into an OpenJDK 8 update?
> With JEP 319 [0], Oracle has open-sourced the root certificates into OpenJDK. The initial check-in was done for jdk10, via bug JDK-8189131 [1]. After that, several commits have been made to update the set of root certificates and improve the tests.
> Now my questions are: Is it legally possible to bring these root certificates also into OpenJDK 8? Since it is a JEP, can the “feature” be added to OpenJDK 8 via an update release? And, last but not least, would there be interest in the community for that at all?

I can answer the first two questions. I talked to one of our Product
Managers who was involved with this JEP and he said that we have
permission to release these certificates as open source at OpenJDK (much
as Mozilla has roots in Firefox).  Therefore there should be no concerns
using with OpenJDK 8 or other versions for that matter.  If you mean the
jdk8u project specifically, you should check with the current
maintainers for interest in this as I think they currently use other
means for their builds.


> Just trying to start a discussion… ��
> Best regards
> Christoph
> [0] http://openjdk.java.net/jeps/319
> [1] https://bugs.openjdk.java.net/browse/JDK-8189131

More information about the jdk8u-dev mailing list