Menu
I'm seriously confused on the differences between cacerts and jssecacerts files.
I know that by default java looks for the jssecacerts file and then the cacerts file.
But what is the point of the jssecacerts file?
My understanding is that if a new truststore needs to be used then a copy of cacerts should be made and all new trusted CAs should be added to that copy. The copy of cacerts (with the new CAs) should then be referenced by the -Djavax.net.ssl.trustStore system property. That way other java applications that run on that machine won't accidently trust non-default CAs.
355
The cacerts file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying jks as the keystore type. The cacerts keystore file ships with several root CA certificates. The initial password of the cacerts keystore file is changeit .
Java has bundled a truststore called cacerts, and it resides in the $JAVA_HOME/jre/lib/security directory.
The cacerts file is a collection of trusted certificate authority (CA) certificates. Oracle includes a cacerts file with its SSL support in the Java™ Secure Socket Extension (JSSE) tool kit and JDK.
There is no jssecacerts file shipped. By copying cacerts to jssecacerts Java will now use jssecacerts instead. Now you can add/remote certs from jssecacerts using keytool without worrying about changing the defaults (cacerts) that shipped with Java. Undoing any changes is as easy as removing jssecacerts from the directory. Good question.
Here we are going to see how to Import Certificates to the Cacerts Keystore file in Java. For importing certificates you have to add certificates one by one into the Keystore file. The certificates may have .cer extension. Application Servers like WebSphere and WebLogic will have the keystore file with .jks extension. jks stands for Java Keystore.
Application Servers like WebSphere and WebLogic will have the keystore file with .jks extension. jks stands for Java Keystore. Cacerts is a CA keystore file. To install certificates to cacerts you have the following options, trustcacerts - trustcacerts means trusted certificates. It can be read as trusted ca certs.
'cacerts' is a truststore. A trust store is used to authenticate peers. A keystore is used to authenticate yourself. Show activity on this post. cacerts is where Java stores public certificates of root CAs. Java uses cacerts to authenticate the servers.
From Java™ Secure Socket Extension (JSSE) Reference Guide, TrustManagerFactory uses the following steps to try to find trust material:
javax.net.ssl.trustStore java-home/lib/security/jssecacertsjava-home/lib/security/cacerts (shipped by default)I think this is based on convention over configuration concept. Without extra coding effort, cacert will be used. For extra private CA/Signing certs, a developer either can use first or second way, where former may just contain a particular cert but later contains a list of certs.
150
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
