Including Certificate Authority Root Certificates in Java


Program Requirements

In order to protect Oracle's Java SE customers from security issues related to the use of public key infrastructure  (PKI) certificates while enhancing their overall experience, Oracle requires that all root certificates authorities meet the following criteria before applying for inclusion of their root certificates in Oracle’s Java Runtime Environment (JRE).
  • Certificate Authorities (CA) providers must maintain a WebTrust Certification for Certificate Authorities or an equivalent independent third-party certification.  For certifications from a different program the burden is on the CA to prove equivalency to the WebTrust for CAs program.
  • Only root certificates with an expiration date of at least 8 years from the date of application will be considered.
  • A maximum of three root certificates per CA will be accepted to minimize the impact on performance and installation time.
  • A test certificate issued from each CA provider’s root to be assessed for inclusion must be made available to Oracle along with the application. 
  • Only applications from well-established and widely used CAs will be accepted.
  • The root certificate must be of value to the broader Java community. For example, root certificates that are only available to internal developers, customers of a single organization, or closed network of organizations are not acceptable for the Root Certificate Program.
  • Certificates issued from the root certificates must support the CRL distribution point exception or OCSP, preferably both.  The CRL distribution point must point to a publicly accessible location.
  • Root certificates and certificates issued by the root CA or any subordinate CA must conform to the RFC 5280 standard.
  • All documents written in languages other than English must be accompanied by a certified translation.
Inclusion of any Certificate Authority’s root certificates in the program is subject to Oracle’s discretion.

Use of your root certificates: If accepted into the program Oracle will have the right, but not the obligation to, distribute your root certificates in our Java Runtime Environment’s (JRE) root certificate store.

Application process

The process starts by sending e-mail with the following information to JAVASE-CA-REQUEST

  • Contact information for two members of your organization:  First Name, Last Name, Title, email Address and phone numbers.
  • Company name and address
  • Company web page address (URL)
  • Link to a Certificate Practice Statement
  • List of all current third-party audits your CA practice has passed
  • Copy of your Audit Report
  • Certificate revocation server URL (CRL and OCSP)
  • Explanation of how your organization reports revocation status for expired code signing certificates. Explanation should include if expired certificates are pruned from CRLs/OCSPResponses as soon as they expire. If not, how long is revocation information maintained for expired certificates. Note: if not indefinite, we may decline new participants that do not retain expired information for an extended period of time.
  • Number of roots you would like to submit
  • List of other programs on which your root certificates are already included
  • Attach or link test certificate issued from each root to be assessed for inclusion
  • Answers to the following questions
    • What business purpose and applications (ex: code signing, SSL Client SSL Server, S/MIME, etc) will certificates issued from these root certificates serve?
    • Who will obtain certificates from your Certificate Authority and what are the processes used for doing so?
      • Will you issue certificates to individuals, organizations, or both?
      • Do you only issue certificates to users from a specific region, language, demographic or other niche demographic?
      • How do you market your organization, and more specifically, how do users request a certificate from you (please be specific for each of individuals and organizations if different)?
    • What is the validation process for someone requesting a certificate issued from these roots?
  • A copy of the root(s) to be evaluated can be included in the e-mail for initial examination.

You should receive an email receipt confirmation within 5 business days of submitting your request.  
We will then evaluate your request and contact you if appropriate for additional information.

The evaluation period will vary in length depending on the individual characteristics of the request and might require additional information. 

Submissions of applicants that do not reply to Oracle’s request for information will be placed on hold until all questions are answered.  Applications that have been placed on hold for more than 3 months will be considered abandoned and a new application will be required to restart the process.


FAQ

1.    What is the cost to be included on the program?
    Oracle does not charge for the root certificate program.

2.    What is the deadline for submission of requests?
    The program runs on an on-going basis.  There is no deadline for submission.  Certificates that are added to the program are included in a future JRE update.  Once approved Oracle will notify you of the expected release version and approximate date on which the certificates will start being included in the JRE.

3.    What is the process for adding certificates to the JRE?
    Approved Certificate Authorities that want to add a new certificate to the JRE can do so until they have a total of 3 root certificates in the JRE.  Once the total number has been reached CAs will have the option of replacing any of the certificates with new certificates that meet the current requirements.

4.    How long will a root certificate remain in the program
    Certificates accepted into the JRE will remain in the program until one of the following occurs:
  • The CA decides to terminate their participation in the program and request that their root certificates be removed.
  • The CA requests that a given certificate no longer be included in the JRE.  This includes –but is not limited to- superseded or compromised certificates.
  • The certificate or Certificate Authority no longer meets the requirements for the program:  For example due to certificate expiration or due to new or increased technical requirements.
  • Oracle decides to stop including certificates from a given CA
5. Why was my application to the program denied?

A typical reason is failure to meet one or more Root Certificate Program requirements.

For example, given that a root certificate proposed for inclusion must be of value to the broader Java community, root certificates that are only available to internal developers, customers of a single organization, or a closed network of organizations are not acceptable for the Root Certificate Program.

We regret that we may not always be able to provide exhaustive details for all applications.