Root certificate(s) missing from cacerts after changes to trust level in certdata.txt

[paulcheeseman]

The following certificate is missing from the cacerts truststore in recent releases of Temurin (since July 2025):

cn=globalsign_root_ca,ou=root_ca,o=globalsign_nv-sa,c=be, 5 May 2025, trustedCertEntry,
Certificate fingerprint (SHA-256): EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99

This seems to be due to an upstream change in the trust level of this certificate in certdata.txt.

Is the exclusion of this certificate from Temurin intended/expected? For what it's worth, it is still being shipped with Oracle Java and Mozilla are still shipping it with Firefox.

There may be other missing certificates as a result of the changes. I haven't conducted an exhaustive check. This particular certificate was brought to our attention because its absence causes errors when communicating with Gmail's IMAP server (imap.gmail.com).

[sxa]

Hi @paulcheeseman The Temurin ones should be generated from the Mozilla ones and kept up to date at the time of each release, so thanks for raising this 🤔