33

I have a single installation of java in a system that runs 2 or 3 applications.

All the applications use the same runtime.

Is there a way to specify a different keystores for the ca certs than the one in java_home/jre/lib/security. That is, is there an option to specify an "extra" keystore that is loaded and added to the certs loaded from java_home/jre/lib/security/cacerts?

What I want to avoid is having to re-import our local ca every time I upgrade the jdk in the box.

feniix
  • 1,408
  • 2
  • 21
  • 34

4 Answers4

71

I think you want to specify the truststore:

java -Djavax.net.ssl.trustStore=/home/gene/mycacerts ...

Or if you are using certs through JSSE (you probably are), you can copy your truststore to jssecacerts in the $JAVA_HOME/jre/lib/security/ directory (although you'd still have to do that each time a JDK got installed/reinstalled). Sun's JSSE looks for $JAVA_HOME/jre/lib/security/jssecacerts before $JAVA_HOME/jre/lib/security/cacerts.

See http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager

Gene Gotimer
  • 6,781
  • 2
  • 27
  • 44
  • 5
    Either of these _replaces_ cacerts. Q wanted to 'load[] and add[] to' which means either _copying_ cacerts to jssecacerts or /wherever/mycerts and adding the custom CA(s) to that copy, or alternatively creating a file with the custom CA(s) and then `keytool -importkeystore` the contents of cacerts into the new file. – dave_thompson_085 Jul 26 '18 at 17:59
  • 1
    Thank you for this answer, it saved my day. I don't have the admin rights to write in C drive where I have my JDK installed. I appended "-Djavax.net.ssl.trustStore=" into Tomcat Catalina and it worked. – Vikram Bhardwaj Sep 18 '20 at 16:58
15

These both jvm options are used to locate custom truststore and their password.

java -Djavax.net.ssl.trustStore=custompath/cacerts -Djavax.net.ssl.trustStorePassword=changeit

In order to make sure what trustStore is being loaded by the application, add following argument as well,

-Djavax.net.debug=ssl:handshake
rogue lad
  • 2,060
  • 2
  • 26
  • 32
0

If your JVM contains more than one application then by default all the applications will use the default cacerts store which is in $JAVA_HOME/jre/lib/security/ location . But if you want the applications should use different cert store then you have to define the custom cert store and point to that. In this way you can create your own certstore. System.setProperty("javax.net.ssl.trustStore", "C:/certStore/cusomtcacerts");-- Use this line before creating the http/https session. You can import the certificates to the cusomtcacerts by using keytool also.

JitenS
  • 11
  • 1
-3

According to this:

Java SSE Referece Guide - Customization

You could use the system property:

javax.net.ssl.keyStore

Like: 

java -Djavax.net.ssl.keyStore=youkeystore YourProgram

But!! I have never tried. Let me know if it works would you?

OscarRyz
  • 184,433
  • 106
  • 369
  • 548
  • 5
    I don't think this is the correct answer, though it is close. The javax.net.ssl.keyStore and trustStore properties are subtly different, and what the OP needs is trustStore customization. – President James K. Polk Apr 16 '10 at 00:48
  • @GregS you're probably right. Feniix, would you let us know your results? and/or what was the solution you use? – OscarRyz Apr 16 '10 at 00:56
  • 2
    This answer is not correct. OP is asking about the truststore, not keystores. – user207421 Feb 27 '17 at 04:59