How to preserve the CAcerts keystore on Mac across updates?

Question

Mac OS X has the CA keystore in /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts. This keystore seems to be overwritten by every Java update, which is very annoying since we have internal CAs for development environments, testing…

Is there a way to preserve keystore changes across Apple JSRs, and now, with Snow Leo JSR3, also across updates for the separate Java developer packages (whose JDKs use the same keystore)?

Answer 1

[ This is outdated info - see the answer below for 10.6+ ]

/System/Library/Frameworks/JavaVM.framework/Home/ is a symlink to Versions/CurrentJDK/Home within JavaVM.framework. Obviously this will change with a new Version. Use the full path (e.g. /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home) and it won't change across updates.

Answer 2

The following parameters can be used to specify the location of the cacerts file to java:

-Djavax.net.ssl.trustStore=<cacerts.location>
-Djavax.net.ssl.trustStorePassword=changeit

Make a copy of the cacerts in the java home directory (with internal CAs) and put it somewhere in your home directory. Then put the full path to the cacerts file location as the value of javax.net.ssl.trustStore property above. That copy will not get overwritten by Java updates. The default password is 'changeit'.

Two downsides to this approach are:

• Your file won't get any updates to the cacerts file in the sdk. This is primarily an issue if a certificate authority is compromised.
• Everywhere you need the custom cacerts (build tools, app server, etc), these parameters need to be specified.

Answer 3

It seems things have changed in Mac OS X 10.6.8 Snow Leopard. Now /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts is a symlink to /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts, which won't change on updates, if we're lucky.