The cacerts file that OpenJDK maintains lacks a number of CA certificates that are present in common browsers. As a result, users of OpenJDK cannot connect to servers with Java that they can connect to with their browsers. This causes confusion and support requests.
In May 2020, we reached out to OpenJDK to discuss this situation, but no consensus was reached. Consequently, the AdoptOpenJDK TSC decided to deviate from OpenJDK and distribute a custom trust store based on Mozilla's list of trusted CA certificates which is also used by many Linux distributions.
If you want to build OpenJDK with the original cacerts file, set --custom-cacerts=false.
The cacerts file is build as part of the regular JDK build from source. The reason is that vetting blobs in PR is difficult. Because certdata.txt cannot be converted directly into a Java Key Store, we do it in multiple steps:
- Convert
certdata.txtin a PEM file (ca-bundle.crt) with mk-ca-bundle.pl. - Split
ca-bundle.crtinto individual certificates and import them withkeytoolinto a newcacertsfile.
To generate a new cacerts file, run:
./mk-cacerts.shIf anybody ever plans to replace mk-ca-bundle.pl, be sure to read Can I use Mozilla's set of CA certificates?.
Every time Mozilla updates the list of CA certificates, we have to update our copy of certdata.txt. Whether it needs to be updated can be checked on curl's website. If it needs updating, the process looks as follows:
- Download the current version of certdata.txt.
- Replace the existing file in
security. - Open a pull request to get it merged.
The updated list will be picked up during the next build.
The resulting cacerts file is licensed under the terms of the source file, the Mozilla Public License, v.2.0.
The certdata.txt is automatically updated as part of a GitHub actions workflow. See the workflow file.