ffray
commented
2 months ago Proof-of-concept can be found here: https://github.com/ffray/corretto-21
Open ffray opened 2 months ago
ffray
commented
2 months ago Proof-of-concept can be found here: https://github.com/ffray/corretto-21
Problem
When updating Corretto, former changes to the Keystore (${java.home}/lib/security/cacerts) get lost. This also includes certificates which have been installed to the system and later on copied to the JDKs cacerts. While it is possible to let every Java application point to the system keystore which uses the system default, it is cumbersome to do this.
Proposed solution
When installing Corretto, the system certificates should be used, if possible.
On Debian / Ubuntu ca-certificates and ca-certificates-java provide related tools, on RHEL / Fedora / AmazonLinux a similar package exists.
Former releases of the underlying OpenJDK offered such integration, which comes handy and is a secure and intuitive default, as distribution maintainers decisions apply to installed JREs / JDKs, too.
[Note: Updated as the initial idea was bad]