Is there any function which tells me what's the current truststore being used in my program. On windows, the default trust store is at JAVA_HOME\lib\security\cacerts.
However, the default can be changed in a variety of ways.
Using -Djavax.net.ssl.keyStore
in the command line
Using Keystore
class.
If the program is running on an App Server under which the application runs may set the store path through it's panel.
If the program is running on Tomcat, then Tomcat settings may change the truststore.
and many other ways.
Is there a programmatic way by which I can find out the disk path of the truststore which is currently active?
The truststore is a file that contains the root certificates for Certificate Authorities (CA) that issue certificates such as GoDaddy, Verisign, Network Solutions, and others. The truststore comes bundled with the JDK/JRE and is located in $JAVA_HOME/lib/security/cacerts .
To Create the Keystore and Trust StoreExport the certificate to a file. The certificate is stored in the file that you specified. Import the certificate into a new trust store. The trust store is created.
In Java, according to the JSSE Reference Guide, there is no default for the keystore , the default for the truststore is "jssecacerts, if it exists. Otherwise, cacerts".
A Java Keystore (JKS) is a common keystore type that is used for Java environments because it is easier to set up. JKSs use files with a . jks extension that are stored in the zFS file system. The JKS is referenced by the keyStore element in the server.
Generally speaking, you can't (this is quite similar to this question).
In the JSSE API, trusting a certificate isn't actually determined by a trust store, but by a TrustManager
. Whilst it's often initialised with a keystore (the truststore), this is not necessary. In addition, the keystores themselves don't have to be files. There is nothing in the default trust manager API that lets you check where and how a potential trust store was used.
There isn't even anything in the SSLSocket
that lets you get back to its SSLSocketFactory
, and nothing there that lets you get back to its originating SSLContext
, and nothing there that lets you get the trust managers.
Which truststore/trust manager is currently active also depends very much on the application. Nothing tells you in general that the connections an application is making are using the default SSLContext
, which can be initialised by the javax.net.ssl.*
system properties. Applications are free to initialise their own SSLContext
s to create their sockets (this is what Tomcat do for its connectors when you specify certain values).
Since Java 6, the default (current) SSLContext
can also be changed globally (via SSLContext.setDefault(...)
.
You can find what's being used by default from the JSSE Reference Guide. The rest will depend on the documentation of each application. Using -Djavax.net.debug=SSL,trustmanager
may help if you need, but this isn't API access.
(By the way, -Djavax.net.ssl.keyStore
will set up the keystore for the default key manager, not the trust store.)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With