3

The list of included root-CA certificates in OpenJDK for Windows is quite impressive but there are a lot of root-CA certificates that are trusted by common browsers like Firefox that are not trusted by Java.

Both Microsoft and Mozilla publish their current list of root-CA certificates but the used file format seems to be proprietary.

The curl project has an automatic converter that uses the Mozilla file as source, however this converter (mk-ca-bundle) is a Perl script.

Is there a way to read one of these lists with plain Java so that it can be used as trust store afterwards?

Robert
  • 39,162
  • 17
  • 99
  • 152

1 Answers1

1

OpenJDK describes how they build the cacerts file in the Security files for OpenJDK repo. The script downloads the certificates from Mozilla:

wget https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt .

As per the repo instructions you could build your own cacerts file that will trust another list of certificates of your own choosing:

  1. Download the following Perl script: https://raw.githubusercontent.com/curl/curl/master/lib/mk-ca-bundle.pl

  2. Download the following Java application: https://github.com/use-sparingly/keyutil/releases/download/0.4.0/keyutil-0.4.0.jar (source available at https://github.com/use-sparingly/keyutil)

  3. Run the provided GenerateCertsFile.sh script with: bash ./GenerateCertsFile.sh - this will use the above files assuming they're located in the same directory as the script

  4. Use the cacerts provided: it must be in the jdk/jre/lib/security or jdk/lib/securityfolder

Karol Dowbecki
  • 43,645
  • 9
  • 78
  • 111
  • As I wrote in my question the script is Perl - a language that is not available on a common Windows system. I am looking for a plain Java solution. – Robert Jun 07 '19 at 12:30
  • 1
    You can skip the Perl script part by using the PEM file located [here](https://curl.se/docs/caextract.html). – GLRoman Feb 18 '21 at 17:12