[tls] On 8059818 Keytool does not recognize jssecacerts for -trustcacerts command line option

Wang Weijun weijun.wang at oracle.com
Wed Oct 8 15:14:29 UTC 2014


On Oct 8, 2014, at 23:00, Sean Mullan <sean.mullan at oracle.com> wrote:
> 
> I agree that we should not read jssecacerts by default. My vote would be to extend -trustcacerts to take an optional path to a cacerts file but fallback on lib/security/cacerts if not specified.

No keytool option takes an optional argument now. This will be a big change.

> This enhancement could then be useful for more than just jssecacerts. For example, in my JavaOne presentation, I gave an example of creating a Domain KeyStore that encompasses two root stores:

This means we will need to provide both store type and store path (or config file) in the same option. It looks like multiple system properties is good at this.

Or, shall we invent a URI scheme?

--Max

> 
> https://blogs.oracle.com/mullan/resource/J1-2014-CON5778.pdf
> 
> (see slides 34-35)
> 
> --Sean



More information about the security-dev mailing list