Update Corretto documentation to include the root CAs that are trusted by the Amazon Corretto JDK

[mvhowardAWS]

Describe a solution you would like

I would like to make a feature request for some sort of documentation containing the root CAs that are trusted by the Amazon Corretto JDK, similar to how Mozilla maintains some documentation here: https://wiki.mozilla.org/CA/Included_CAs and here: https://wiki.mozilla.org/CA

Describe alternatives you have considered

The Amazon Trust Repositroy only contains a few of the trusted CAs.

keytool -list -cacerts command with Corretto 17 returns a list containing 100+ entries of trusted CAs. Those entries include those listed in the Amazon Trust Repository, but they also include all of the other trusted CAs.

Additional context

Customers are transitioning to Corretto JDK and need to be able to easily link auditors and end-customers to documentation, that's kept up to date, on which root CA certificates are trusted.

[mcookAmazon]

Hi mvhwardAWS,

Thank you for using Corretto! I'd like to better understand the need and see if and how we might be able to help.

We have a list of the CAs we ship with in the code here.

Would the above be sufficient for your needs? If not, would you please share your use case?

All the best,
Mike

[mcookAmazon]

Adding more details -

All of the certificates we bundle with Corretto that come from upstream OpenJDK have [jdk] in the cert name.

All of the certificates that we add from Amazon do not have [jdk] in the name.

So, for any given release you can run the keytool command and you will get back the included certs for that release.

keytool -list -cacerts|cut -d, -f1 |grep -v fingerprint|grep jdk will return all of those certificates originating from upstream OpenJDK. keytool -list -cacerts|cut -d, -f1 |grep -v fingerprint|grep -v jdk will return all certificates Amazon has added.

We pull the certs from a couple of locations, and the file directory structure has changed between releases. For reference, the Corretto 21 release takes what is in https://github.com/corretto/corretto-21/tree/cef27c0d26d54a92045f3cb7d3985e4bd0da6ee1/src/java.base/share/data/cacerts and then adds in https://github.com/corretto/corretto-21/blob/develop/amazon-cacerts

We think the best way to list out the certs is by using the keytools command (or other equivalent tool) to look for certs with [jdk] in them.

[ChrisGenesys]

@mcookAmazon Our primary goal is to have a webpage that we can refer our customers to so that they can verify whether their preferred CA will be trusted. These are end users of the systems we're building, so they may not have the expertise or knowhow to run keytool commands themselves. Could Amazon publish a "trusted CA" page that lists the trusted root CAs and their serial numbers so that those customers could quickly search for their CA?

[mcookAmazon]

@ChrisGenesys - I will review with the team and provide an update.

[Lirons01]

@mcookAmazon Has there been any update on this?

[mcookAmazon]

We have reviewed this internally.

We think providing instructions on how to print out the certs is the best way forward.

First cd into the bin directory where your Corretto distribution has been installed.

cd $JAVA_HOME/bin

Next run the keytool command:

keytool -list -keystore ../lib/security/cacerts -storepass changeit

This will provide a list of the cacerts provided with the distribution.

We believe that this procedure will ensure that the customer is seeing an accurate list of what cacerts were included for the specific release they have installed.

[ChrisGenesys]

@mcookAmazon This request is not for us. Rather, it's for our customers who are only tangentially aware that they are using a AWS based Java application.

In our case, we are hosting an application in AWS that will be connecting to customer supplied APIs.

Our customers want to check whether or not the certificate authority they use will be trusted by our application when it attempts to connect. Our customers are not running our application locally and will not have access to the Corretto distribution or keytool.

We could, of course, run keytool ourselves and publish a list. However, it would be more sustainable for AWS to have an officially generated and updated list in the same way that Mozilla does with https://ccadb.my.salesforce-sites.com/mozilla/CAInformationReport. We would supply that list to our customers so that they could understand certificate compatibility.

[mcookAmazon]

Hi @ChrisGenesys - Can you please further describe the usage scenario? I'd like to learn more about the specifics where the customer does not know which Java distribution is being used.