Bit of a cert noob and I'm having trouble finding details on whether setting javax.net.ssl.trustStore adds to or overrides the default JDK cacerts?

My app is using:

-Djavax.net.ssl.trustStore=my-truststore.jks

And setting up a client for AWS S3 (default, without explicitly telling it to use any specific certs):

<bean name="s3Client" class="com.amazonaws.services.s3.AmazonS3ClientBuilder"
    factory-method="defaultClient">
</bean>

If javax.net.ssl.trustStore adds to the default JDK cacerts, then I should be ok because I believe that already contains the certs I need, but my-truststore does not. (AWS CAs were added to jdk: https://bugs.openjdk.java.net/browse/JDK-8233223)

If a custom Trust Store is specified by the javax.net.ssl.trustStore - then the default one (default JDK cacerts) won't be used.

Not sure if term "override" is 100% correct here. The defauld JDK cacerts remains, you don't update it or something. But your custom one is used.

I'd say it is not recommended that you modify the default Trust Store, given that it is shipped with your JVM and will be updated with it.

Instead you could make a copy and add your certificates to the copy and set this copy as the custom one (using javax.net.ssl.trustStore).

For instance:

1. Copy the default one (simply copy the file)

2. Use keytool to add some specific certificates to the copy

   keytool -import -file /path/to/certificate.pem -alias NameYouWantToGiveOfYourCertificate -keystore /path/to/copy/of/default/truststore.jks -storepass changeit
   

This is just an example. You might want to use some other tool, but hope the idea is clear :)