Is there a way to load a different cacerts than the one specified in the java_home/jre/lib/security folder?

Asked 15/4, 2010 at 0:58 Answered 26/7, 2018 at 16:50

I have a single installation of java in a system that runs 2 or 3 applications.

All the applications use the same runtime.

Is there a way to specify a different keystores for the ca certs than the one in java_home/jre/lib/security. That is, is there an option to specify an "extra" keystore that is loaded and added to the certs loaded from java_home/jre/lib/security/cacerts?

What I want to avoid is having to re-import our local ca every time I upgrade the jdk in the box.

Crenellate answered 15/4, 2010 at 0:58 Comment(1)

The cacerts file is a truststore, not a keystore. It doesn't contain any private keys. – Outpouring 27/2, 2017 at 5:0

I think you want to specify the truststore:

java -Djavax.net.ssl.trustStore=/home/gene/mycacerts ...

Or if you are using certs through JSSE (you probably are), you can copy your truststore to jssecacerts in the $JAVA_HOME/jre/lib/security/ directory (although you'd still have to do that each time a JDK got installed/reinstalled). Sun's JSSE looks for $JAVA_HOME/jre/lib/security/jssecacerts before $JAVA_HOME/jre/lib/security/cacerts.

See http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager

Osculation answered 15/4, 2010 at 14:1 Comment(2)

Either of these replaces cacerts. Q wanted to 'load[] and add[] to' which means either copying cacerts to jssecacerts or /wherever/mycerts and adding the custom CA(s) to that copy, or alternatively creating a file with the custom CA(s) and then keytool -importkeystore the contents of cacerts into the new file. – Perambulator 26/7, 2018 at 17:59

Thank you for this answer, it saved my day. I don't have the admin rights to write in C drive where I have my JDK installed. I appended "-Djavax.net.ssl.trustStore=<MyLocation>" into Tomcat Catalina and it worked. – Cervix 18/9, 2020 at 16:58

These both jvm options are used to locate custom truststore and their password.

java -Djavax.net.ssl.trustStore=custompath/cacerts -Djavax.net.ssl.trustStorePassword=changeit

In order to make sure what trustStore is being loaded by the application, add following argument as well,

-Djavax.net.debug=ssl:handshake

Idell answered 7/11, 2017 at 9:32 Comment(0)

If your JVM contains more than one application then by default all the applications will use the default cacerts store which is in $JAVA_HOME/jre/lib/security/ location . But if you want the applications should use different cert store then you have to define the custom cert store and point to that. In this way you can create your own certstore. System.setProperty("javax.net.ssl.trustStore", "C:/certStore/cusomtcacerts");-- Use this line before creating the http/https session. You can import the certificates to the cusomtcacerts by using keytool also.

Artificial answered 26/7, 2018 at 16:50 Comment(2)

have you tested this - System.setProperty("javax.net.ssl.trustStore", "C:/certStore/cusomtcacerts"); – Aargau 13/6, 2021 at 10:51

Yes. This is tested. – Artificial 20/6, 2021 at 15:30

-4

According to this:

Java SSE Referece Guide - Customization

You could use the system property:

javax.net.ssl.keyStore

Like:

java -Djavax.net.ssl.keyStore=youkeystore YourProgram

But!! I have never tried. Let me know if it works would you?

Alkalinity answered 15/4, 2010 at 1:13 Comment(3)

I don't think this is the correct answer, though it is close. The javax.net.ssl.keyStore and trustStore properties are subtly different, and what the OP needs is trustStore customization. – Germann 16/4, 2010 at 0:48

@GregS you're probably right. Feniix, would you let us know your results? and/or what was the solution you use? – Alkalinity 16/4, 2010 at 0:56

This answer is not correct. OP is asking about the truststore, not keystores. – Outpouring 27/2, 2017 at 4:59

Recommended topics

Hot tags