OS & JVM keystores
Baesken, Matthias
matthias.baesken at sap.com
Thu Oct 2 12:31:16 UTC 2025
Hi Sean, what you propose sounds really good.
The DKSTest I found
https://github.com/openjdk/jdk/blob/8be16160d2a6275ff619ea4cebb725475c646052/test/jdk/sun/security/provider/KeyStore/DKSTest.java#L111
mentions also ‘system’ , is this the system (OS , e.g. Windows) – keystore or the cacert ?
The documentation at
https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html
mentions ‘system’ as keystore system-truststore but there it is pointing to keystoreURI="${java.home}/lib/security/cacerts";
Best regards, Matthias
>Hi,
>There is already a feature in the JDK that is close to what you are looking for. There is a KeyStore type called "DKS" (called the DomainKeyStore). See https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html for more info on how to configure it.
>Basically, it uses a config file to present a collection of keystores as one logical keystore.
>Currently there is no way to specify the configuration file as a system property, so you would have to write a custom TrustManagerFactory.
>I would try seeing if this solution is workable and we can think about whether adding a system property for the config file is something that would be useful.
>--Sean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20251002/d3459a01/attachment-0001.htm>
More information about the security-dev
mailing list