Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rely on system certificates #67

Open
ffray opened this issue Aug 12, 2024 · 1 comment
Open

Rely on system certificates #67

ffray opened this issue Aug 12, 2024 · 1 comment

Comments

@ffray
Copy link

ffray commented Aug 12, 2024
edited
Loading

Problem

When updating Corretto, former changes to the Keystore (${java.home}/lib/security/cacerts) get lost.
This also includes certificates which have been installed to the system and later on copied to the JDKs cacerts.
While it is possible to let every Java application point to the system keystore which uses the system default, it is cumbersome to do this.

Proposed solution

When installing Corretto, the system certificates should be used, if possible.

On Debian / Ubuntu ca-certificates and ca-certificates-java provide related tools,
on RHEL / Fedora / AmazonLinux a similar package exists.

Former releases of the underlying OpenJDK offered such integration, which comes handy and is a secure and intuitive default, as distribution maintainers decisions apply to installed JREs / JDKs, too.

[Note: Updated as the initial idea was bad]
@ffray
Copy link
Author

ffray commented Aug 12, 2024

Proof-of-concept can be found here: https://github.com/ffray/corretto-21

@ffray ffray changed the title Reinstall system-wide certificates upon updates Rely on system certificates Aug 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ffray