Why does java have both the cacerts and jssecacerts files?

Asked 18/4, 2011 at 21:59 Answered 5/6, 2013 at 3:46

I'm seriously confused on the differences between cacerts and jssecacerts files.

I know that by default java looks for the jssecacerts file and then the cacerts file.

But what is the point of the jssecacerts file?

My understanding is that if a new truststore needs to be used then a copy of cacerts should be made and all new trusted CAs should be added to that copy. The copy of cacerts (with the new CAs) should then be referenced by the -Djavax.net.ssl.trustStore system property. That way other java applications that run on that machine won't accidently trust non-default CAs.

Millepore answered 18/4, 2011 at 21:59 Comment(1)

do you really find none of the 3 answers to be the correct one? Could you select the one you deem to be correct please? – Eradicate 13/7, 2016 at 12:36

From Java™ Secure Socket Extension (JSSE) Reference Guide, TrustManagerFactory uses the following steps to try to find trust material:

system property javax.net.ssl.trustStore
java-home/lib/security/jssecacerts
java-home/lib/security/cacerts (shipped by default)

I think this is based on convention over configuration concept. Without extra coding effort, cacert will be used. For extra private CA/Signing certs, a developer either can use first or second way, where former may just contain a particular cert but later contains a list of certs.

Darrel answered 5/6, 2013 at 3:46 Comment(1)

The point being once it finds 1, 2, or 3 it uses that exclusively, so jssecacerts would need to include ALL the certs if used. – Eradicate 13/7, 2016 at 12:38

As I understand it, the cacerts file is the shipped default one.

If there is a jssecacerts file it is used exclusively - not in addition to the cacerts file.

My recommendation: keep the cacerts file, copy to jssecacerts and add any private CA/Signing certs needed to the jssecacerts file.

Libelant answered 20/4, 2011 at 23:5 Comment(2)

Thanks for this, I too found that having a CA in cacerts doesn't work if a jssecacerts file exists, and it needs to be added to jssecacerts instead. – Fayina 20/1, 2014 at 2:38

@EJP You are not "clobber"ing the shipped jssecacerts file. There is no jssecacerts file shipped. By copying cacerts to jssecacerts Java will now use jssecacerts instead. Now you can add/remote certs from jssecacerts using keytool without worrying about changing the defaults (cacerts) that shipped with Java. Undoing any changes is as easy as removing jssecacerts from the directory. – Flesher 13/8, 2014 at 13:15

Good question. I think it arises from the historical fact that JSSE was once an add-on. JSSE does allow multiple providers, so maybe jssecacerts is only for the JSSE provider, and other providers might use their own.

But who used cacerts prior to JSSE is another question.

Haaf answered 19/4, 2011 at 1:5 Comment(0)

Recommended topics

Hot tags