Generally speaking, you can't (this is quite similar to this question).
In the JSSE API, trusting a certificate isn't actually determined by a trust store, but by a TrustManager
. Whilst it's often initialised with a keystore (the truststore), this is not necessary. In addition, the keystores themselves don't have to be files. There is nothing in the default trust manager API that lets you check where and how a potential trust store was used.
There isn't even anything in the SSLSocket
that lets you get back to its SSLSocketFactory
, and nothing there that lets you get back to its originating SSLContext
, and nothing there that lets you get the trust managers.
Which truststore/trust manager is currently active also depends very much on the application. Nothing tells you in general that the connections an application is making are using the default SSLContext
, which can be initialised by the javax.net.ssl.*
system properties. Applications are free to initialise their own SSLContext
s to create their sockets (this is what Tomcat do for its connectors when you specify certain values).
Since Java 6, the default (current) SSLContext
can also be changed globally (via SSLContext.setDefault(...)
.
You can find what's being used by default from the JSSE Reference Guide. The rest will depend on the documentation of each application. Using -Djavax.net.debug=SSL,trustmanager
may help if you need, but this isn't API access.
(By the way, -Djavax.net.ssl.keyStore
will set up the keystore for the default key manager, not the trust store.)