OS & JVM keystores

Baesken, Matthias matthias.baesken at sap.com
Wed Oct 1 13:14:52 UTC 2025 

Hi , we were recently asked if it is possible to have in Java something like a "union" of the Java certs and the system keystore.

Currently it seems only be possible to use one of them, e.g. a) use the Java cacerts or  b) switch fully to the system keystore (on Windows, there seems to be -Djavax.net.ssl.trustStoreType=Windows-ROOT )

For a more detailed discussion see

https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/pull/929<https://urldefense.com/v3/__https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/pull/929__;!!ACWV5N9M2RV99hQ!MZG04zXcn4IlpyOa_UDJl2-Fzb8aajztWecVbGgy74qgYbxtucZFIoV_fZpyk__sk3QIXQc7xqj3ZlRNAaE8Tm_Iz8I$>

"What we would need is a union of both keystores, which is currently not possible (neither is accessing the 'System Roots' nor is telling the JVM to use a union of multiple stores)."

and also
https://github.com/eclipse-packaging/packages/pull/224<https://urldefense.com/v3/__https://github.com/eclipse-packaging/packages/pull/224__;!!ACWV5N9M2RV99hQ!MZG04zXcn4IlpyOa_UDJl2-Fzb8aajztWecVbGgy74qgYbxtucZFIoV_fZpyk__sk3QIXQc7xqj3ZlRNAaE8j4QB9Iw$>


Sean Coffey also pointed out that there is the option of  implementing  an own 'TrustManagerFactory' implementation via addition of a provider  (currently, only the JSSE provider provides such functionality by default. e.g. entry point to loading trusted certs would be via this code: https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java#L48<https://urldefense.com/v3/__https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java*L48__;Iw!!ACWV5N9M2RV99hQ!Pdqi9KrO5AO_y6ZznwdSXbEoDEQHWDkIys-OOLQmQl134sT8OK4RyzRqIXu3e8oEQF3tnVeGP1Tnju0HOYp5hiQwZos$>   ).


 So is there some plan to have such a "union" / merging directly in  the JDK  ?
Or any hints how to handle this ?

(seems there are some people building a "union" / merged trustStore with scripts but this looks a bit like a hack to me and will not work for all users)


Best regards, Matthias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20251001/bfb2da8c/attachment-0001.htm>

More information about the security-dev mailing list