OS & JVM keystores

Wed Oct 1 19:01:14 UTC 2025

Hi,

There is already a feature in the JDK that is close to what you are 
looking for. There is a KeyStore type called "DKS" (called the 
DomainKeyStore). See 
https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html 
for more info on how to configure it.

Basically, it uses a config file to present a collection of keystores as 
one logical keystore.

Currently there is no way to specify the configuration file as a system 
property, so you would have to write a custom TrustManagerFactory.

I would try seeing if this solution is workable and we can think about 
whether adding a system property for the config file is something that 
would be useful.

--Sean

On 10/1/25 9:14 AM, Baesken, Matthias wrote:
>
> Hi , we were recently asked if it is possible to have in Java 
> something like a "union" of the Java certs and the system keystore.
>
> Currently it seems only be possible to use one of them, e.g. a) use 
> the Java cacerts or  b) switch fully to the system keystore (on 
> Windows, there seems to be -Djavax.net.ssl.trustStoreType=Windows-ROOT )
>
> For a more detailed discussion see
>
> https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/pull/929 
> <https://urldefense.com/v3/__https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/pull/929__;!!ACWV5N9M2RV99hQ!MZG04zXcn4IlpyOa_UDJl2-Fzb8aajztWecVbGgy74qgYbxtucZFIoV_fZpyk__sk3QIXQc7xqj3ZlRNAaE8Tm_Iz8I$>
>
> *"What we would need is a union of both keystores, which is currently 
> not possible (neither is accessing the 'System Roots' nor is telling 
> the JVM to use a union of multiple stores)."*
>
> and also
>
> https://github.com/eclipse-packaging/packages/pull/224 
> <https://urldefense.com/v3/__https://github.com/eclipse-packaging/packages/pull/224__;!!ACWV5N9M2RV99hQ!MZG04zXcn4IlpyOa_UDJl2-Fzb8aajztWecVbGgy74qgYbxtucZFIoV_fZpyk__sk3QIXQc7xqj3ZlRNAaE8j4QB9Iw$>
>
> Sean Coffey also pointed out that there is the option of implementing 
>  an own 'TrustManagerFactory' implementation via addition of a 
> provider  (currently, only the JSSE provider provides such 
> functionality by default. e.g. entry point to loading trusted certs 
> would be via this code: 
> https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java#L48 
> <https://urldefense.com/v3/__https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java*L48__;Iw!!ACWV5N9M2RV99hQ!Pdqi9KrO5AO_y6ZznwdSXbEoDEQHWDkIys-OOLQmQl134sT8OK4RyzRqIXu3e8oEQF3tnVeGP1Tnju0HOYp5hiQwZos$> 
> ).
>
>  So is there some plan to have such a "union" / merging directly in 
>  the JDK  ?
>
> Or any hints how to handle this ?
>
> (seems there are some people building a "union" / merged trustStore 
> with scripts but this looks a bit like a hack to me and will not work 
> for all users)
>
> Best regards, Matthias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20251001/b05fc2ea/attachment-0001.htm>