On Thu, 12 Feb 2026 18:12:34 GMT, Sean Mullan <[email protected]> wrote:
> This is a new `jlink` plugin which allows the user to specify the CA
> certificates it wants to include in the `cacerts` keystore in a custom
> runtime image. This can be very useful for creating runtimes that only
> contain the CA certificates that are necessary.
>
> The command-line syntax takes one or more `cacert` keystore aliases as an
> option, separated by a comma.
>
> For example:
>
> `jlink --cacerts "letsencryptisrgx1 [jdk]"`
>
> or
>
> `jlink --cacerts "letsencryptisrgx1 [jdk],digicertglobalrootca [jdk]"`
src/jdk.jlink/share/classes/jdk/tools/jlink/internal/plugins/CACertsPlugin.java
line 108:
> 106: ks.load(null, null);
> 107: for (var entry : certs.entrySet()) {
> 108: ks.setCertificateEntry(entry.getKey(), entry.getValue());
Assume the original entry has attributes, do we want to copy them into the new
keystore?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29700#discussion_r2800519127
