Procedure to procure root CA certificate and include in cacerts of JDK


#1

I am from IBM and would like to include Let’s Encrypt Root CA certificate to ‘cacerts’ of JDK. Please provide a contact to talk on further process.


#2

Hi @mbvreddy,

Thanks for your interest in Let’s Encrypt. A good contact for this process is ISRG’s Executive Director Josh Aas, who is @josh on this forum.

Since ISRG has already applied for inclusion in a number of root programs, it’s possible that Josh already has contacts open with other colleagues at IBM for this purpose, so it may be good to check that there’s isn’t a duplicative conversation about this issue going on already.


#3

http://www.oracle.com/technetwork/java/javase/javasecarootcertsprogram-1876540.html

Java

only works with 7u111+ and 8u101+ as the “DST Root CA X3” was added with these versions on 2016-07-19 (see https://bugs.openjdk.java.net/browse/JDK-8154757323), 8u141+ directly incldue the ISRG Root certificate (see http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html20)

If you are looking at adding these manually you can do this with keytool.

Andrei


#4

Further to what @schoen wrote, can I ask if IBM operates a single “root trust programme” or similar across the business that you’re aware of? IBM offers a broad range of products, several of which need to trust root CAs. I suspect Let’s Encrypt would like the ISRG root included in all of them, so it’d be convenient for them. But for the wider community it’d also be good to have a single point of contact covering all those products.


#5

@ahaw021 - IBM JDK has its own cacerts and plan is to include ISRG root certificate in it.


#6

@schoen - Thank you. How can I reach @josh other than the community? If not already, we would like to have an agreement.


#7

@tialaramex - That is a good idea. We will think on it. But, most of IBM Products use IBM JDK’s cacerts which already have root CA’s. Hence, including root in JDK’s cacerts would serve the need.


#8

I sent you a private message with Josh Aas’s e-mail address. (It’s not a secret, but I don’t want to risk increasing the amount of spam he gets by posting it on the forum.)