On 3/29/17 10:33 AM, Sean Mullan wrote:
https://bugs.openjdk.java.net/browse/JDK-8176087
keytool now prints warnings when reading or generating cert/cert req
using weak algorithms
In all keytool functions, if the certificate/certificate request/CRL
that is working on (whether it be the input, the output, or an
existing object) is using a weak algorithm or key, a warning will be
printed out.
"working on" sounds a bit awkward. Also not sure it you need to mention
all functions, and input, output, etc - I think that should be implied.
You probably also want to mention the fix in
https://bugs.openjdk.java.net/browse/JDK-8177569 here. How about:
"With one exception, keytool will always print a warning if the
certificate, certificate request, or CRL it is parsing or verifying is
using a weak algorithm or key. When the `-trustcacerts` option is
specified or the `cacerts` keystore is being directly operated on,
keytool will not print a warning for certificates in the `cacerts`
keystore that have been signed with a weak signature algorithm."
Precisely, an algorithm or a key is weak if it matches the value of
the jdk.certpath.disabledAlgorithms security property defined in
conf/security/java.security.
Put the property name and file name in single backquotes, ex:
`jdk.certpath.disabledAlgorithms`. Also I would say "in the
`conf/security/java.security` file."
--Sean
