OpenJDK 10 Now Includes Root CA Certificates
In this post, we take a look at some of the improvements made to the Java language in the latest release, and what the future looks like for Java.
Join the DZone community and get the full member experience.Join For Free
With the release of OpenJDK 10 on 20 March 2018, Oracle and the Java community have made good on their commitment to furnish Java releases every six months. The JDK 11 project is well underway and the proposed schedule calls for its release on 25 September 2018, six months after the GA (General Availability) of OpenJDK 10. Alongside this significant change in release cadence, Oracle has pledged to make its commercial implementation of OpenJDK (Java SE or the Oracle JDK) as indistinguishable as possible from OpenJDK. This will take some time, but those efforts have commenced and are beginning to bear fruit.
One of the enhancements to JDK 10 includes, for the first time, a set of root CA (Certificate Authority) certificates incorporated into the OpenJDK source. As specified by Java Enhancement Proposal (JEP 319), providing root CA certificates makes "OpenJDK builds more attractive to developers" and "reduces [sic] the differences between those builds and Oracle JDK builds."
Root certificates are stored, by default, in a keystore file called
cacerts. Prior to JDK 10, the source code contained an empty
cacerts file, disabling the ability to establish trust and effectively rendering many important security protocols unuseable. To work around this shortcoming, developers had to roll their own
cacerts keystore by manually populating it with a set of root certificates.
Let's examine OpenJDK 10 on a Windows desktop:
>jdk-10\bin\java --version openjdk 10 2018-03-20 OpenJDK Runtime Environment 18.3 (build 10+46) OpenJDK 64-Bit Server VM 18.3 (build 10+46, mixed mode)
The following command utilizes the JDK
keytool utility to query the
cacerts keystore and count the number of certificates:
>jdk-10\bin\keytool -cacerts -list | find "Certificate" /c Enter keystore password: changeit 80
By default the
cacerts keystore password is changeit. The 80 included certificates match the number specified in JEP-319. The Certificate Authorities in question were required to sign an agreement granting Oracle the right to open-source their certificates.
Expect to see more Oracle value-add finding its way into the OpenJDK source as time marches on.
Opinions expressed by DZone contributors are their own.