Skip to content

docs: recommend use of appropriately scoped trust roots #4006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ppkarwasz merged 2 commits into from
Dec 17, 2025
Merged

docs: recommend use of appropriately scoped trust roots #4006

ppkarwasz merged 2 commits into from
Dec 17, 2025
+28 −0

Conversation

@ppkarwasz
Copy link
Contributor

@ppkarwasz ppkarwasz commented Dec 17, 2025

This change adds an important note to the documentation for log4j2.trustStoreLocation and the TrustStore plugin, advising users to configure trust stores with trust roots that are appropriate for their communication scope.

The recommendation is grounded in public guidance from NIST SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, which advises minimizing trust anchors to those necessary for the intended connections.

@ppkarwasz
docs: recommend use of appropriately scoped trust roots
15b910e 
This change adds an important note to the documentation for `log4j2.trustStoreLocation` and the `TrustStore` plugin, advising users to configure trust stores with trust roots that are appropriate for their communication scope.

The recommendation is grounded in public guidance from
[NIST SP 800-52 Rev. 2: *Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations*](https://csrc.nist.gov/pubs/sp/800/52/r2/final), which advises minimizing trust anchors to those necessary for the intended connections.
garydgregory
garydgregory approved these changes Dec 17, 2025
View reviewed changes
Copy link
Member

@garydgregory garydgregory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. The file name "admonition" is weird in this context but that's just me. "guideline" seems better to me but it's not a big deal.

@ppkarwasz ppkarwasz enabled auto-merge (squash) December 17, 2025 22:32
@ppkarwasz
Copy link
Contributor Author

ppkarwasz commented Dec 17, 2025

@garydgregory,

Thanks! I'll proceed with the rest of my TODO list tomorrow.

@ppkarwasz ppkarwasz merged commit 9c22ca2 into 2.x Dec 17, 2025
5 checks passed
@ppkarwasz ppkarwasz deleted the doc/2.x/trust-root branch December 17, 2025 22:52
ppkarwasz added a commit that referenced this pull request Dec 17, 2025
@ppkarwasz
docs: recommend use of appropriately scoped trust roots (#4006)
f4efdc8 
* docs: recommend use of appropriately scoped trust roots

This change adds an important note to the documentation for `log4j2.trustStoreLocation` and the `TrustStore` plugin, advising users to configure trust stores with trust roots that are appropriate for their communication scope.

The recommendation is grounded in public guidance from
[NIST SP 800-52 Rev. 2: *Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations*](https://csrc.nist.gov/pubs/sp/800/52/r2/final), which advises minimizing trust anchors to those necessary for the intended connections.

* fix: rename partial
raboof
raboof reviewed Dec 18, 2025
View reviewed changes
src/site/antora/modules/ROOT/partials/manual/trust-store-guideline.adoc
Comment on lines +20 to +23
Log4j Core typically does not communicate with external organizations; therefore, the default trust store provided by the Java Runtime Environment is often not appropriate.

When configuring a trust store for Log4j Core, follow established best practices. For example,
https://csrc.nist.gov/pubs/sp/800/52/r2/final[NIST SP 800-52 Rev. 2] (§4.5.2) recommends using a trust store that contains only the CA certificates required for the intended communication scope, such as a private or enterprise CA. This reduces exposure to unintended or compromised CA certificates included in the default trust store.
Copy link
Member

@raboof raboof Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very helpful!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garydgregory garydgregory garydgregory approved these changes

@FreeAndNil FreeAndNil FreeAndNil approved these changes

+1 more reviewer

@raboof raboof raboof left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ppkarwasz @raboof @garydgregory @FreeAndNil