Certificates trusted by the default JDK installation

Question

Looking for a way to understand what certificates are trusted by JDK by default, without having to purchase the trial one.

JDK has this list of CAs that it trusts, but it's not really helpful, since before the purchase it's not clear which CA this certificate is going to be signed by (most certificates are signed by Intermediate authorities.)

Is there any list/database of certificates that are guaranteed to be trusted by the default JDK installation?

Answer 1

The JRE with default settings trusts all certificates that somehow link to one of the certificates in jre/lib/security/cacerts, unless you have configured a different truststore. Actually the process is a bit more complicated (google PKIX path validation), but this explanation is good enough for our purposes. If your certificate is signed by an intermediate CA (which is true for most certificates), be sure to supply the certificate chain. For example, if you use it for https on an apache webserver, use the SSLCertificateChainFile option to configure the file with the intermediates. This way, it doesn't matter which intermediate signs the certificate, as long as the intermediate links to a CA in cacerts. BTW: The process to get a certificate into the truststore is explained here: http://www.oracle.com/technetwork/java/javase/javasecarootcertsprogram-1876540.html Since Oracle reserves the right to remove CAs from this list, there is no list that will be guaranteed to work in future releases. Depending on your application supplying your own truststore via property javax.net.ssl.trustStore might be an option.