6

Looking for a way to understand what certificates are trusted by JDK by default, without having to purchase the trial one.

JDK has this list of CAs that it trusts, but it's not really helpful, since before the purchase it's not clear which CA this certificate is going to be signed by (most certificates are signed by Intermediate authorities.)

Is there any list/database of certificates that are guaranteed to be trusted by the default JDK installation?

Oleg Mikheev
  • 17,186
  • 14
  • 73
  • 95

2 Answers2

6

The JRE with default settings trusts all certificates that somehow link to one of the certificates in jre/lib/security/cacerts, unless you have configured a different truststore. Actually the process is a bit more complicated (google PKIX path validation), but this explanation is good enough for our purposes. If your certificate is signed by an intermediate CA (which is true for most certificates), be sure to supply the certificate chain. For example, if you use it for https on an apache webserver, use the SSLCertificateChainFile option to configure the file with the intermediates. This way, it doesn't matter which intermediate signs the certificate, as long as the intermediate links to a CA in cacerts. BTW: The process to get a certificate into the truststore is explained here: http://www.oracle.com/technetwork/java/javase/javasecarootcertsprogram-1876540.html Since Oracle reserves the right to remove CAs from this list, there is no list that will be guaranteed to work in future releases. Depending on your application supplying your own truststore via property javax.net.ssl.trustStore might be an option.

Drunix
  • 3,313
  • 8
  • 28
  • 50
  • 1
    It doesn't explain how to make sure that SSL certificate issued by some shady internet website is going to work with default JDK installation... if there are no more answers will accept this one – Oleg Mikheev Jan 11 '14 at 07:05
  • It does, see the last sentence. You can supply your your own truststore which includes the relevant certificates (CA or server). Alternatively you can implement your own X509TrustManager. See for example http://stackoverflow.com/questions/7443235/getting-java-to-accept-all-certs-over-https which shows an "accept-all" trustmanager. – Drunix Jan 13 '14 at 13:13
1

In https://openjdk.java.net/jeps/319 there is a list of root certificates trusted by default since java 10.

Reproduced here for convenience:

Actalis S.p.A.

CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
Buypass AS

CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
Camerfirma

CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
Certum

CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
Chunghwa Telecom Co., Ltd.

OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW
Comodo CA Ltd.

CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Digicert Inc.

CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
OU=Equifax Secure Certificate Authority, O=Equifax, C=US
CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
DocuSign

CN=Class 2 Primary CA, O=Certplus, C=FR
CN=Class 3P Primary CA, O=Certplus, C=FR
CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
D-TRUST GmbH

CN=D-TRUST Root Class 3 CA 2 2009, O=D-Trust GmbH, C=DE
CN=D-TRUST Root Class 3 CA 2 EV 2009, O=D-Trust GmbH, C=DE
IdenTrust

CN=DST Root CA X3, O=Digital Signature Trust Co.
CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US
CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
Let's Encrypt

CN=ISRG Root X1, O=Internet Security Research Group, C=US
LuxTrust

CN=LuxTrust Global Root, O=LuxTrust s.a., C=LU
QuoVadis Ltd.

CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
Secom Trust Systems

OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP
SwissSign AG

CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
Telia

CN=Sonera Class2 CA, O=Sonera, C=FI
Trustwave

CN=SecureTrust CA, O=SecureTrust Corporation, C=US
CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US
eis
  • 51,991
  • 13
  • 150
  • 199