[tls] On 8059818 Keytool does not recognize jssecacerts for -trustcacerts command line option

Xuelei Fan xuelei.fan at oracle.com
Wed Oct 8 08:01:03 UTC 2014

On 10/8/2014 3:33 PM, Wang Weijun wrote:
> On Oct 8, 2014, at 12:25, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>> On 10/8/2014 12:21 PM, Wang Weijun wrote:
>>> There are two keystores here. -keystore points to user's keystore that keytool will save into. cacerts is a read-only keystore that is used to find trusted certs.
>> Got it.
>> Is it possible to add an optional argument for the "-trustcacerts"
>> option?  If no argument, use the cacerts; otherwise, use the specified
>> value.
> Every keytool option either has an argument or not, so it you'd like it specified on the command line, a new option should be invented.
> Do you happen to know there are other cases where a user want to customize the location of cacerts?
It looks strange to me now that this keytool command cannot specify the
customized trusted anchor sources.  Normally, the key store of the trust
anchor should be customizable so that users can use the trust anchor
other than the cacerts key store.  For example, in JSSE, application is
able to use key store other than cacerts as the trust store; in PKIX
certification path building and validation, application is also able to
specify the trust store.


> Thanks
> Max
>> Xuelei

More information about the security-dev mailing list