[tls] On 8059818 Keytool does not recognize jssecacerts for -trustcacerts command line option
Sean Mullan
sean.mullan at oracle.com
Wed Oct 8 15:00:19 UTC 2014
On 10/08/2014 01:57 AM, Wang Weijun wrote:
>
> On Oct 8, 2014, at 16:01, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>
>> It looks strange to me now that this keytool command cannot specify the
>> customized trusted anchor sources. Normally, the key store of the trust
>> anchor should be customizable so that users can use the trust anchor
>> other than the cacerts key store. For example, in JSSE, application is
>> able to use key store other than cacerts as the trust store; in PKIX
>> certification path building and validation, application is also able to
>> specify the trust store.
>
> It will be ugly if we add too many options for keytool. I'll think about creating some new system properties.
I agree that we should not read jssecacerts by default. My vote would be
to extend -trustcacerts to take an optional path to a cacerts file but
fallback on lib/security/cacerts if not specified. This enhancement
could then be useful for more than just jssecacerts. For example, in my
JavaOne presentation, I gave an example of creating a Domain KeyStore
that encompasses two root stores:
https://blogs.oracle.com/mullan/resource/J1-2014-CON5778.pdf
(see slides 34-35)
--Sean
More information about the security-dev
mailing list