diff --git a/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java b/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java
index 47887916c664f..92e2cff58a55f 100644
--- a/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java
+++ b/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 
 import static com.oracle.svm.core.snippets.KnownIntrinsics.readCallerStackPointer;
 
+import java.lang.ref.ReferenceQueue;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
 import java.net.URL;
@@ -43,8 +44,10 @@
 import java.security.SecureRandom;
 import java.util.List;
 import java.util.Map;
+import java.util.function.BooleanSupplier;
 import java.util.function.Predicate;
 
+import org.graalvm.compiler.serviceprovider.GraalServices;
 import org.graalvm.compiler.serviceprovider.JavaVersionUtil;
 import org.graalvm.nativeimage.Platform;
 import org.graalvm.nativeimage.Platforms;
@@ -313,10 +316,26 @@ static boolean isTrustedCryptoProvider(Provider provider) {
     }
 }
 
+final class QueueFieldPresent implements BooleanSupplier {
+    @Override
+    public boolean getAsBoolean() {
+        try {
+            Class<?> jceSecurity = Class.forName("javax.crypto.JceSecurity");
+            jceSecurity.getDeclaredField("queue");
+            return true;
+        } catch (ClassNotFoundException | NoSuchFieldException e) {
+            return false;
+        }
+    }
+}
+
 @TargetClass(className = "javax.crypto.JceSecurity")
 @SuppressWarnings({"unused"})
 final class Target_javax_crypto_JceSecurity {
 
+    @Alias @TargetElement(onlyWith = QueueFieldPresent.class)//
+    public static ReferenceQueue<Object> queue;
+
     /*
      * Lazily recompute the RANDOM field at runtime. We cannot push the entire static initialization
      * of JceSecurity to run time because we want the JceSecurity.verificationResults initialized at
@@ -389,8 +408,19 @@ public Object transform(Object receiver, Object originalValue) {
     }
 }
 
-@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "IdentityWrapper", onlyWith = JDK17OrLater.class)
-@SuppressWarnings({"unused"})
+final class IdentityWrapperPresent implements BooleanSupplier {
+    @Override
+    public boolean getAsBoolean() {
+        try {
+            Class.forName("javax.crypto.JceSecurity$IdentityWrapper");
+            return true;
+        } catch (ClassNotFoundException e) {
+            return false;
+        }
+    }
+}
+
+@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "IdentityWrapper", onlyWith = IdentityWrapperPresent.class)
 final class Target_javax_crypto_JceSecurity_IdentityWrapper {
     @Alias //
     Provider obj;
@@ -401,6 +431,26 @@ final class Target_javax_crypto_JceSecurity_IdentityWrapper {
     }
 }
 
+final class WeakIdentityWrapperPresent implements BooleanSupplier {
+    @Override
+    public boolean getAsBoolean() {
+        try {
+            Class.forName("javax.crypto.JceSecurity$WeakIdentityWrapper");
+            return true;
+        } catch (ClassNotFoundException e) {
+            return false;
+        }
+    }
+}
+
+@TargetClass(className = "javax.crypto.JceSecurity", innerClass = "WeakIdentityWrapper", onlyWith = WeakIdentityWrapperPresent.class)
+final class Target_javax_crypto_JceSecurity_WeakIdentityWrapper {
+    @Alias //
+    Target_javax_crypto_JceSecurity_WeakIdentityWrapper(Provider obj, ReferenceQueue<Object> queue) {
+        // Do nothing this is just an alias
+    }
+}
+
 class JceSecurityAccessor {
     private static volatile SecureRandom RANDOM;
 
@@ -432,7 +482,12 @@ static Object providerKey(Provider p) {
         if (JavaVersionUtil.JAVA_SPEC <= 11) {
             return p;
         }
+
         /* Starting with JDK 17 the verification results map key is an identity wrapper object. */
+        if (JavaVersionUtil.JAVA_SPEC == 17 && GraalServices.getJavaUpdateVersion() >= 10) {
+            return new Target_javax_crypto_JceSecurity_WeakIdentityWrapper(p, Target_javax_crypto_JceSecurity.queue);
+        }
+
         return new Target_javax_crypto_JceSecurity_IdentityWrapper(p);
     }
 
diff --git a/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java b/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java
index 8824050a3b3b8..304baf73c17df 100644
--- a/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java
+++ b/substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/SecurityServicesFeature.java
@@ -31,6 +31,7 @@
 import java.io.FileWriter;
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.lang.ref.Reference;
 import java.lang.reflect.Executable;
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
@@ -85,6 +86,7 @@
 import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
 
 import org.graalvm.compiler.options.Option;
+import org.graalvm.compiler.serviceprovider.GraalServices;
 import org.graalvm.compiler.serviceprovider.JavaVersionUtil;
 import org.graalvm.nativeimage.ImageSingletons;
 import org.graalvm.nativeimage.hosted.RuntimeJNIAccess;
@@ -848,9 +850,31 @@ private Function<Object, Object> constructVerificationCacheCleaner(Class<?> jceS
             };
         }
         /*
-         * For JDK 17 and later, the verification cache is an IdentityWrapper -> Verification result
-         * ConcurrentHashMap. The IdentityWrapper contains the actual provider in the 'obj' field.
+         * For JDK 17.0.10 and later, the verification cache is a WeakIdentityWrapper ->
+         * Verification result ConcurrentHashMap. The WeakIdentityWrapper contains the actual
+         * provider in the 'obj' field.
          */
+        if (JavaVersionUtil.JAVA_SPEC == 17 && GraalServices.getJavaUpdateVersion() >= 10) {
+            Method getReferent = ReflectionUtil.lookupMethod(Reference.class, "get");
+            Predicate<Object> listRemovalPredicate = wrapper -> {
+                try {
+                    return shouldRemoveProvider((Provider) getReferent.invoke(wrapper));
+                } catch (IllegalAccessException | InvocationTargetException e) {
+                    throw VMError.shouldNotReachHere(e);
+                }
+            };
+
+            return obj -> {
+                Map<Object, Object> original = (Map<Object, Object>) obj;
+                Map<Object, Object> verificationResults = new ConcurrentHashMap<>(original);
+
+                verificationResults.keySet().removeIf(listRemovalPredicate);
+
+                return verificationResults;
+            };
+
+        }
+
         Class<?> identityWrapper = loader.findClassOrFail("javax.crypto.JceSecurity$IdentityWrapper");
         Field providerField = ReflectionUtil.lookupField(identityWrapper, "obj");