On Thu, 12 Feb 2026 18:47:56 GMT, Weijun Wang <[email protected]> wrote:
>> This is a new `jlink` plugin which allows the user to specify the CA
>> certificates it wants to include in the `cacerts` keystore in a custom
>> runtime image. This can be very useful for creating runtimes that only
>> contain the CA certificates that are necessary.
>>
>> The command-line syntax takes one or more `cacert` keystore aliases as an
>> option, separated by a comma.
>>
>> For example:
>>
>> `jlink --cacerts "letsencryptisrgx1 [jdk]"`
>>
>> or
>>
>> `jlink --cacerts "letsencryptisrgx1 [jdk],digicertglobalrootca [jdk]"`
>
> src/jdk.jlink/share/classes/jdk/tools/jlink/internal/plugins/CACertsPlugin.java
> line 108:
>
>> 106: ks.load(null, null);
>> 107: for (var entry : certs.entrySet()) {
>> 108: ks.setCertificateEntry(entry.getKey(),
>> entry.getValue());
>
> Assume the original entry has attributes, do we want to copy them into the
> new keystore?
I could, I think it is easy enough to do, although I'm not aware of any use
cases that depend on attributes, and `keytool` doesn't support them.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29700#discussion_r2800695726
