On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> The cacerts file is now a password-less PKCS12 file. This make sure old code > that uses a JKS KeyStore object can continuously load it using a null > password (in fact, any password) and see all certificates inside. make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 74: > 72: cert = (X509Certificate) cf.generateCertificate(fis); > 73: } > 74: ks.setCertificateEntry(alias, cert); In the previous code, we always used a fixed date (cert's notBefore) for the creation date. Now, it seems it will be always different and based on when it was created. I'm not really sure if this is an issue in practice, but I think it is worth thinking about a bit more - do you have any thoughts on this? ------------- PR: https://git.openjdk.java.net/jdk/pull/5948