News

Oracle Implements Trust Restrictions on Chunghwa Root Certificates in Java Environment

• By John K. Waters
• June 2, 2026

The Java Development Kit (JDK) will stop trusting Transport Layer Security (TLS) server certificates anchored by legacy Chunghwa Telecom Co., Ltd. root certificates if they were issued after March 17, 2026, Oracle says. This policy alignment matches similar security mandates previously established by Google and Mozilla. The decision follows a broader industry movement to deprecate aging cryptographic roots that no longer fulfill strict baseline requirements.

The enforcement is coded directly into the Java Secure Socket Extension (JSSE) provider implementation of the Java Secure Socket Extension API. Security parameters will block the negotiation of TLS sessions if a server presents a certificate chain anchored by the distrusted certificate authority that carries a timestamp after the March deadline. The handshake failure happens at the protocol layer, preventing application data from being transmitted over unsecured channels.

Impacted applications will throw an exception stating that the certificate is "anchored by a distrusted legacy Chunghwa root CA." Certificates issued on or before March 17, 2026, will remain trusted within the runtime environment until their natural expiration dates, avoiding immediate outages for legacy deployments.

Organizations requiring an exception can manually override the restriction by adjusting the security properties file in the JDK configuration. Security administrators must explicitly remove the root certificate from the disabled algorithms list to re-enable communication, though Oracle advises against this practice for production systems due to the associated security exposure.