Removing Unused CA Certificates
The Java and IDM truststore files include a number of root CA certificates. Although the probability of a compromised root CA certificate is low, it is best practice to delete root CA certificates that are not used in your deployment.
To review the list of root CA certificates in the IDM truststore, run the following command:
keytool \
-list \
-keystore /path/to/openidm/security/truststore \
-storepass changeit
On UNIX/Linux systems, you can find additional lists of root CA certificates in files named cacerts
. These include root CA certificates associated with your Java environment, such as Oracle JDK or OpenJDK. You should be able to find that file in ${JAVA_HOME}/jre/lib/security/cacerts
.
Before changing Java environment keystore files, make sure that the Java-related cacerts
files are up to date and verify that you have a supported Java version installed:
Vendor | Versions |
---|---|
OpenJDK, including OpenJDK-based distributions:
ForgeRock tests most extensively with AdoptOpenJDK/Eclipse Adoptium. ForgeRock recommends using the HotSpot JVM. | 11 |
Oracle Java | 11 |
You can remove root CA certificates with the keytool command. For example, the following command removes the hypothetical examplecomca2
certificate from the truststore:
keytool \
-delete \
-keystore /path/to/openidm/security/truststore \
-storepass changeit \
-alias examplecomca2
Repeat the process for all root CA certificates that are not used in your deployment.
On Windows systems, you can manage certificates with the Microsoft Management Console (MMC) snap-in tool. For more information, see Working With Certificates in the Microsoft documentation.