[tls] On 8059818 Keytool does not recognize jssecacerts for -trustcacerts command line option

Wang Weijun weijun.wang at oracle.com
Fri Oct 10 08:43:20 UTC 2014

On Oct 8, 2014, at 23:30, Sean Mullan <sean.mullan at oracle.com> wrote:

>>> This enhancement could then be useful for more than just jssecacerts. For example, in my JavaOne presentation, I gave an example of creating a Domain KeyStore that encompasses two root stores:
>> This means we will need to provide both store type and store path (or config file) in the same option. It looks like multiple system properties is good at this.
> Good point.
>> Or, shall we invent a URI scheme?
> No, that seems like too much work.

In your slide, the DKS keystore is loaded by

  keystore.load(new DomainLoadStoreParameter(uri, Collections.emptyMap());

which means we cannot simply provide two system properties (or two new options)

  jdk.keytool.cacerts = dks.config
  jdk.keytool.cacerts.type = dks

and write a common code to load it.

BTW, I see that DomainKeyStore#load(stream,pass) is designed to load a keystore of JKS (or another default storetype). Why didn't we load a DKS config file (with common passwords or all null)?

> In fact, it is plausible we should defer this RFE for now if it is a lot of work, and we have higher priority things to work on.

OK. The bug report already included a workaround.


> How common is jssecacerts used anyway? I never really understood why there was a separate JSSE specific file for ca root certificates, I believe this may have been an artifact from when JSSE was shipped as a standalone extension.
> --Sean

More information about the security-dev mailing list