[tls] On 8059818 Keytool does not recognize jssecacerts for -trustcacerts command line option

Sean Mullan sean.mullan at oracle.com
Wed Oct 8 15:00:19 UTC 2014

On 10/08/2014 01:57 AM, Wang Weijun wrote:
> On Oct 8, 2014, at 16:01, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>> It looks strange to me now that this keytool command cannot specify the
>> customized trusted anchor sources.  Normally, the key store of the trust
>> anchor should be customizable so that users can use the trust anchor
>> other than the cacerts key store.  For example, in JSSE, application is
>> able to use key store other than cacerts as the trust store; in PKIX
>> certification path building and validation, application is also able to
>> specify the trust store.
> It will be ugly if we add too many options for keytool. I'll think about creating some new system properties.

I agree that we should not read jssecacerts by default. My vote would be 
to extend -trustcacerts to take an optional path to a cacerts file but 
fallback on lib/security/cacerts if not specified. This enhancement 
could then be useful for more than just jssecacerts. For example, in my 
JavaOne presentation, I gave an example of creating a Domain KeyStore 
that encompasses two root stores:


(see slides 34-35)


More information about the security-dev mailing list