Including Certificate Authority Root Certificates in Java

Program Requirements

The Oracle Java Root Certificate program is in a steady state and generally not accepting new participants. Only widely recognized Certificate Authorities with a significant customer base and global reach should consider applying.

In order to protect Oracle's Java SE customers from security issues related to the use of public key infrastructure (PKI) certificates while enhancing their overall experience, Oracle requires that all root certificates authorities meet the following criteria before applying for inclusion of their root certificates in Oracle’s Java Runtime Environment (JRE).

  • Certificate Authorities (CA) providers must maintain a WebTrust Certification for Certificate Authorities or an equivalent independent third-party certification. For certifications from a different program the burden is on the CA to prove equivalency to the WebTrust for CAs program.
  • Companies and organizations (public or private) who are not well known and globally recognized Certificate Authorities with a global reach are unlikely to be accepted.
  • Root certificates that have an expiration date in the next 5 years might not be considered.
  • A maximum of three root certificates per CA will be accepted to minimize the impact on performance and installation time.
  • A test certificate issued from each CA provider’s root to be assessed for inclusion must be made available to Oracle along with the application.
  • Only applications from well-established and widely used CAs will be accepted.
  • The root certificate must be of value to the broader Java community. For example, root certificates that are only available to internal developers, customers of a single organization, or closed network of organizations are not acceptable for the Root Certificate Program.
  • Certificates issued from the root certificates must support the CRL distribution point extension or OCSP, preferably both. The CRL distribution point must point to a publicly accessible location.
  • Root certificates and certificates issued by the root CA or any subordinate CA must conform to the RFC 5280 standard.
  • All documents written in languages other than English must be accompanied by a certified translation.
Inclusion of any Certificate Authority’s root certificates in the program is subject to Oracle’s discretion.

Use of your root certificates: If accepted into the program Oracle will have the right, but not the obligation to, distribute your root certificates in our Java Runtime Environment’s (JRE) root certificate store.

Application process

The process starts with a globally recognized Certificate Authority with broad and international customer base, and/or existing program participant sending e-mail with the following information to JAVASE-CA-REQUEST_WW_GRP

  • Contact information for two members of your organization: First Name, Last Name, Title, email Address and phone numbers.
  • Company name and address
  • Backup/Alternate contact name and address, preferably a durable contact that can survive employee turnover (eg, "legal@companynameDOTcom")
  • Company web page address (URL)
  • Link to a Certificate Practice Statement
  • List of all current third-party audits your CA practice has passed
  • Copy of your Audit Report
  • Certificate revocation server URL (CRL and OCSP)
  • Explanation of how your organization reports revocation status for expired code signing certificates. Explanation should include if expired certificates are pruned from CRLs/OCSPResponses as soon as they expire. If not, how long is revocation information maintained for expired certificates. Note: if not indefinite, we may decline new participants that do not retain expired information for an extended period of time.
  • Number of roots you would like to submit
  • List of other programs on which your root certificates are already included
  • List of other programs on which your root certificates that you are applying for are already included
  • Attach or link test certificate issued from each root to be assessed for inclusion
  • Answers to the following questions
    • What business purpose and applications (ex: code signing, SSL Client SSL Server, S/MIME, etc) will certificates issued from these root certificates serve?
    • Who will obtain certificates from your Certificate Authority and what are the processes used for doing so?
      • Will you issue certificates to individuals, organizations, or both?
      • Do you only issue certificates to users from a specific region, language, demographic or other niche demographic?
      • How do you market your organization, and more specifically, how do users request a certificate from you (please be specific for each of individuals and organizations if different)?
    • What is the validation process for someone requesting a certificate issued from these roots?
  • A copy of the root(s) to be evaluated can be included in the e-mail for initial examination.

You should receive an email receipt confirmation within 20 business days of submitting your request.

We will then evaluate your request and contact you if appropriate for additional information.

The evaluation period will vary in length depending on the individual characteristics of the request and might require additional information. Please note that even for perfectly qualified applications the entire process can take several months.

Submissions of applicants that do not reply to Oracle’s request for information will be placed on hold until all questions are answered. Applications that have been placed on hold for more than 3 months will be considered abandoned and a new application will be required to restart the process.

    Frequently Asked Questions

    Open all Close all
  • What is the cost to be included on the program?

    Oracle does not charge for the root certificate program.

  • What is the deadline for submission of requests?

    The program runs on an on-going basis. There is no deadline for submission. Certificates that are added to the program are included in a future JRE update. Once approved Oracle will notify you of the expected release version and approximate date on which the certificates will start being included in the JRE.

  • What is the process for adding certificates to the JRE?

    Approved Certificate Authorities that want to add a new certificate to the JRE can do so until they have a total of 3 root certificates in the JRE. Once the total number has been reached CAs will have the option of replacing any of the certificates with new certificates that meet the current requirements.

  • How long will a root certificate remain in the program?

    Certificates accepted into the JRE will be shipped with the JDK until one of the following occurs:

    • The CA decides to terminate their participation in the program and request that their root certificates no longer be included in future JDK versions.
    • The CA requests that a given certificate no longer be included in the JDK. This includes –but is not limited to- superseded or compromised certificates.
    • The certificate or Certificate Authority no longer meets the requirements for the program: for example due to certificate expiration or due to new or increased technical requirements.
    • Oracle decides to stop including certificates from a given CA.
    Root certificates used only for issuing TLS certificates will be removed from JDK updates released after the root certificate expiration date.
    Root certificates used for issuing code-signing certificates may continue to be included in JDK updates for up to 10 years after their expiration date as long as they meet all security requirements. This allows code that has been previously signed and timestamped with certificates that chain back to one of these roots to continue to be validated.

  • What agreement would I sign if I am accepted into the program?

    In order for Oracle and its partners to include and distribute your certificates you will need to agree to the Oracle Contributor Agreement.

  • Why was my application to the program denied?

    A typical reason is we are generally not accepting new participants at this time and are extremely selective to new participants. Generally, unless you are a broadly available Certificate Authority with an international customer base you are unlikely to be included. In addition to being a globally recognized Certificate Authority it must be clear your inclusion adds value to the broader Java community. Root certificates that are only available to internal developers, customers of a single organization (public or private), country, region, or to a closed network of organizations, or an organization that is not a globally recognized Certificate Authority at Oracle’s sole discretion will not be accepted into the Root Certificate Program.
    We regret that we may not always be able to provide exhaustive details for all applications.