On Wed, 15 Apr 2026 12:39:03 GMT, Sean Mullan <[email protected]> wrote:
>> This is a new `jlink` plugin which allows the user to specify the CA >> certificates it wants to include in the `cacerts` keystore in a custom >> runtime image. This can be very useful for creating runtimes that only >> contain the CA certificates that are necessary. >> >> The command-line syntax takes one or more `cacert` keystore aliases as an >> option, separated by a comma. >> >> For example: >> >> `jlink --cacerts "letsencryptisrgx1 [jdk]"` >> >> or >> >> `jlink --cacerts "letsencryptisrgx1 [jdk],digicertglobalrootca [jdk]"` > > Sean Mullan has updated the pull request incrementally with one additional > commit since the last revision: > > Don't override getType(). src/jdk.jlink/share/classes/jdk/tools/jlink/resources/plugins.properties line 67: > 65: \ with the certificates of the specified > aliases\n\ > 66: \ only. <alias> is the name of an alias in > the\n\ > 67: \ cacerts keystore. I'm wondering about "cacerts keystore". Do you mean this in the abstract sense or the file in lib/security. JEP 220 is clear that files in lib directory "must be treated as private implementation details of the run-time system" and maybe we missed some areas of the docs when moving to the new run-time image structure. I note that the keytool man page refers to the cacerts file in lib/security and we should probably re-visit that wording. I'm just wondering if the usage and man page should reference to the JDK's trustcode for CA certificates or something more abstract rather than "cacerts". ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/29700#discussion_r3086703897
