Pull to refresh

Making Java 8 aware of Let's Encrypt root certificate

Level of difficultyEasy
Reading time3 min
Views2.3K

To begin with, we need to understand some terminology and concepts that form a backbone and stand behind the topic, so we will understand why the issue occurs and how to solve it.

Certificate Authority (CA) is an organisation that issues digital certificates. 

Root Certificate is a self-signed certificate that represents the top-level (or root) in a certificate chain. Root certificates are distributed in software trust stores, like those in web browsers or operating systems. When you trust a root certificate, you inherently trust all certificastes signed by that root.

Prior to September 2021 Let's Encrypt was using root certificate issued by a CA called Digital Signature Trust Co. (often abbreviated as DST or IdenTrust). The certificate name was DST Root CA X3,

In present time the organization behind Let's Encrypt is ISRG (Internet Security Research Group) and thus ISRG is CA. The certificates issued by it are ISRG Root X1 and ISRG Root X2.

The main determining factor for whether a platform can validate Let’s Encrypt certificates is whether that platform trusts ISRG’s “ISRG Root X1” certificate. Prior to September 2021, some platforms could validate Let's Encrypt certificates even though they don’t include ISRG Root X1, because they trusted IdenTrust’s “DST Root CA X3” certificate. From October 2021 onwards, only those platforms that trust ISRG Root X1 will validate Let’s Encrypt certificates.

Every JRE has its own keystore, which contains all Certificate Authorities it trusts. This is also referred to as a truststore. This truststore is stored as a file called cacerts. It is typically located in $JAVA_HOME/jre/lib/security for Java 8 and in $JAVA_HOME/jre/lib/security for Java 11 and Java 17, assuming $JAVA_HOME is where your JRE or JDK is installed. The default password for this keystore is changeit.

That being said, Java 8 updates released prior to January 2017 (versions < 8u141) did not include the "ISRG Root X1" certificate in their default truststore. At the same time Java 11 includes root certificates of both CAs and Java 17 includes only "ISRG Root X1".

The tool for work with JRE keystore is called keytool and located in $JAVA_HOME/bin/keytool. 

Use the following commands to view whether needed CA are located in the relevant keystores

# For Java 8
$  $JAVA_HOME/bin/keytool -list -keystore  $JAVA_HOME/jre/lib/security/cacerts -storepass changeit | grep -iE "isrg|dstx3"
identrustdstx3, May 5, 2016, trustedCertEntry,
 
# For Java 11
$  $JAVA_HOME/bin/keytool -list -keystore  $JAVA_HOME/lib/security/cacerts -storepass changeit | grep -iE "isrg|dstx3"
identrustdstx3 [jdk], Sep 30, 2000, trustedCertEntry,
letsencryptisrgx1 [jdk], Jun 4, 2015, trustedCertEntry,
 
# For Java 17
$  $JAVA_HOME/bin/keytool -list -keystore  $JAVA_HOME/security/cacerts -storepass changeit | grep -iE "isrg|dstx3"
_,cus,ointernet_security_research_group,cnisrg_root_x1 [jdk], Jun 4, 2015, trustedCertEntry,
_,cus,ointernet_security_research_group,cnisrg_root_x2 [jdk], Sep 4, 2020, trustedCertEntry,

You can note here that Java 17 also includes the new ISRG Root X2 root certificate that is using ECDSA encription unlike RSA encryption used by ISRG Root X1.

So you need

The solution for old Java 8 JRE would be to make the JRE trust to the new CA of Let's Encrypt, which is ISRG.

# Download the ISRG Root X1 certificate in PEM format from the Let's Encrypt website.
wget --no-check-certificate https://letsencrypt.org/certs/isrgrootx1.pem.txt -O /tmp/isrgrootx1.pem

# Import the new trusted root certificate into JRE truststore with the keytool
$JAVA_HOME/bin/keytool -import -alias letsencryptisrgx1 -keystore $JAVA_HOME/jre/lib/security/cacerts -file /tmp/isrgrootx1.pem

Tags:
Hubs:
Rating0
Comments5

Articles