Red Hat SummitChapter 3. Red Hat build of OpenJDK features
The latest Red Hat build of OpenJDK 17 release might include new features. Additionally, the latest release might enhance, deprecate, or remove features that originated from earlier Red Hat build of OpenJDK 17 releases.
For all the other changes and security fixes, see OpenJDK 17.0.16 Released.
3.1. Red Hat build of OpenJDK enhancements
Red Hat build of OpenJDK 17 provides enhancements to features originally created in earlier releases of Red Hat build of OpenJDK.
Sectigo CS and TLS root certificates added
In Red Hat build of OpenJDK 17.0.16, the cacerts truststore includes four Sectigo root certificates, including two code-signing (CS) certificates and two TLS certificates:
- Certificate 1
- Name: Sectigo Limited
- Alias name: sectigocodesignroote46
- Distinguished name: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB
- Certificate 2
- Name: Sectigo Limited
- Alias name: sectigocodesignrootr46
- Distinguished name: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB
- Certificate 3
- Name: Sectigo Limited
- Alias name: sectigotlsroote46
- Distinguished name: CN=Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB
- Certificate 4
- Name: Sectigo Limited
- Alias name: sectigotlsrootr46
- Distinguished name: CN=Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB
3.2. Red Hat build of OpenJDK deprecated features
The following pre-existing features have been either deprecated or removed in Red Hat build of OpenJDK 17.0.16:
Baltimore root certificate removed
From Red Hat build of OpenJDK 17.0.16 onward, the cacerts truststore no longer includes the following Baltimore root certificate that expired in May 2025:
- Alias name: baltimorecybertrustca [jdk]
- Distinguished name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
See JDK-8303770 (JDK Bug System).
Camerfirma root CA certificates removed
From Red Hat build of OpenJDK 17.0.16 onward, the cacerts truststore no longer includes the following expired Camerfirma root certificates:
- Certificate 1
- Alias name: camerfirmachamberscommerceca [jdk]
- Distinguished name: CN=Chambers of Commerce Root OU=http://www.chambersign.org O=AC Camerfirma SA CIF A82743287 C=EU
- SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3
- Certificate 2
- Alias name: camerfirmachambersignca [jdk]
- Distinguished name: CN=Global Chambersign Root - 2008 O=AC Camerfirma S.A. SERIALNUMBER=A82743287 L=Madrid (see current address at www.camerfirma.com/address) C=EU
- SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}