Imagine configuring an account on a cloud storage service provider, using your system. The cloud interface can request a certificate and their values to be stored on your system. When reconnecting to the cloud service, your system automatically authenticates it using the certificate.

With JDK, such certificates are stored in the cacerts keystore. The certificate file cacerts resides in the security directory of your JDK installation directory and represents Certification Authority (CA) certifications applicable to the system-wide key store, as follows:

• Windows: JAVA_HOMElibsecurity
• Linux, Solaris, and macOS X: JAVA_HOME/lib/security

The root certificates are used to establish trust in the certificate chains employed in the various security protocols. The problem is that the cacerts keystore doesn't have any certificates in the JDK source code, which is mandatory for the default functionality of security components, such as TLS, in OpenJDK builds.

With root certificates, Oracle plans to bridge the gap between the OpenJDK build and OracleJDK builds. The users must populate their cacerts keystore with a set of root certificates to bridge this gap.

The plan is to provide a default set of root CA certificates in JDK, and open source the root certificates in Oracle's Java SE Root CA program.

The root certificates can be issued by the CAs of Oracle's Java SE Root CA program.