default root ca certificates in Corretto keystore compared with Oracle's

[vijayyadav06]

Hi,

As we are looking into migrating to Corretto, we wanted to compare the root certs in corretto vs oracle's jdk8 (1.8.0_202) with a goal to figure out the impact on our web facing applications (and better estimation for migration effort).

So the Oracle jdk8 had 96 entries and Corretto has 155 in their keystore. Wondering if all the root certs of Oracle jdk are included in Corretto?

---

more detail -
/Library/Java/JavaVirtualMachines/amazon-corretto-8.jdk/Contents/Home/jre/lib/security
=> keytool -list -keystore cacerts
Enter keystore password:
Your keystore contains 155 entries

vs

/Library/Java/JavaVirtualMachines/jdk1.8.0_202.jdk/Contents/Home/jre/lib/security
=> keytool -list -keystore cacerts
Enter keystore password:
Your keystore contains 96 entries

[davecurrie]

@vijayyadav06 We distribute the same cacerts that you get in Amazon Linux, which is an Amazon-managed list of certs. The list of certs provided by Oracle is managed internally by them as part of their distribution.

There will be some overlap but we can't guarantee what that overlap will be. We recommend checking for each one that you know you'll need using keytool.

[vshank77]

Wished at least Amazon root certificate was included :(

[hybby]

Heads up that if you're migrating from OpenJDK, it seems to symlink to the system truststore on CentOS 7 at least:

[root@ip-10-27-92-195 security]# yum whatprovides /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6.x86_64/jre/lib/security/cacerts
...
1:java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el7_6.x86_64 : OpenJDK Headless Runtime Environment 8
Repo        : updates
Matched from:
Filename    : /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6.x86_64/jre/lib/security/cacerts

[root@ip-10-27-92-195 security]# ls -ld /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6.x86_64/jre/lib/security/cacerts
lrwxrwxrwx 1 root root 41 Aug  8 16:01 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6.x86_64/jre/lib/security/cacerts -> ../../../../../../../etc/pki/java/cacerts

If you've added anything special to that truststore and use it under OpenJDK, you may have to re-symlink the Corretto CA Certs to your system keystore.

# mv /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts.old
# ln -s /etc/pki/ca-trust/extracted/java/cacerts /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts

[candrews]

Heads up that if you're migrating from OpenJDK, it seems to symlink to the system truststore on CentOS 7 at least

Thank you for pointing this out!

I believe that Corretto should behave just like OpenJDK and use the system trust store so I just requested that: #171