[tls] On 8059818 Keytool does not recognize jssecacerts for -trustcacerts command line option

Wang Weijun weijun.wang at oracle.com
Wed Oct 8 04:21:25 UTC 2014

On Oct 8, 2014, at 12:00, Xuelei Fan <xuelei.fan at oracle.com> wrote:

> On 10/8/2014 11:37 AM, Wang Weijun wrote:
>> On Oct 8, 2014, at 11:10, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>>>> However, I can think of adding a new system property called "jdk.keytool.cacerts" so that people can point it to a file not jre/lib/security/cacerts. This would be useful for the bug reporter and we can now finally testing the -trustcacerts option.
>>> If I'm correct, the cacerts can be specified in command line.
>>> Considering we have had the command line option, the benefit of adding a
>>> new system property may be limited.
>> The option is a simple "-trustcacerts" without any parameter. So you cannot customize where the trusted keystore is.
> What's the option "-keystore" for?  I though it is the target keystore.
> Looks like the following command is confusing.
>   $ keytool -importcert ... -trustcacerts -keystore my-key-store

This means you want to import a cert into my-key-store. If that cert is signed by another cert in cacerts (or my-key-store) then the cert is silently imported. Otherwise, a prompt is printed out.

There are two keystores here. -keystore points to user's keystore that keytool will save into. cacerts is a read-only keystore that is used to find trusted certs.

> Per the doc, "If the -trustcacerts option was specified, then additional
> certificates are considered for the chain of trust, namely the
> certificates in a file named cacerts", "-trustcacerts" must store the
> cert in "cacerts", however, the "-keystore" option want to store the
> cert in "my-key-store".
> If you add a new property ("jdk.keytool.cacerts"), there might be
> compatibility issues as the target store may be not cacerts, for
> "-trustcacerts" option, any more.

No. Currently the cacerts in -trustcacerts is hard coded as jre/lib/security/cacerts. The new system property makes it customizable.

> Per the request of the bug, if customers want to use jssecacerts, they
> can simply use the "-keystore" option.  At the same point, if users want
> to use key store other than cacerts, just use the "-keystore" option.  I
> see not much benefits to define a new system property.

No, the -keystore points to user's own keystore, it is neither cacerts nor jssecacerts.


> Xuelei

More information about the security-dev mailing list