In the case of 'SHA1 denyAfter ', before 2018 a certificate with SHA1 can be used, but after that date, the certificate is rejected. 'denyAfter' checks if the given date is before the current date or the PKIXParameter date. This is useful for organizations that have their own private CA that trust using SHA1 with their trust anchor, but want to block certificate chains anchored by a public CA from using SHA1. SHA1's usage is checked through the certificate chain, but the chain must terminate at a marked trust anchor in the cacerts keystore to be rejected. 'jdkCA' examines the certificate chain termination with regard to the cacerts file. Three new Constraints were added to give more flexibility in allowing and rejecting certificates. This creates configurations that are absolute and lack flexibility in their usage. Previously it was limited to two Constraint types either a full disabling of an algorithm by name or a full disabling of an algorithm by the key size when checking certificates, certificate chains, and certificate signatures. : The certpath property has seen the most change. With the need to restrict weak algorithms usage in situations where they are most vulnerable, additional features have been added when configuring the and security properties in the curity file. Let's Encrypt certificates added to root CAs. JDK 8u141 contains IANA time zone data version 2017b
