OS & JVM keystores

[Sean Mullan]

On 10/2/25 8:31 AM, Baesken, Matthias wrote:
>
> Hi Sean, what you propose sounds really good.
>
> The DKSTest  I found
>
> https://github.com/openjdk/jdk/blob/8be16160d2a6275ff619ea4cebb725475c646052/test/jdk/sun/security/provider/KeyStore/DKSTest.java#L111
>
> mentions also ‘system’  , is this the  system (OS ,  e.g. Windows) – 
> keystore or the cacert ?
>
No, that's just the name of the domain in the config file: 
https://github.com/openjdk/jdk/blob/8be16160d2a6275ff619ea4cebb725475c646052/test/jdk/sun/security/provider/KeyStore/domains.cfg

See also the constructor which explains the URI parameter: 
https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html#%3Cinit%3E(java.net.URI,java.util.Map)

--Sean

> The documentation at
>
> https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html
>
> mentions ‘system’   as  keystore system-truststore  but there it is 
> pointing to   keystoreURI="${java.home}/lib/security/cacerts";
>
> Best regards, Matthias
>
> >Hi,
>
> >There is already a feature in the JDK that is close to what you are 
> looking for. There is a KeyStore type called "DKS" (called the 
> DomainKeyStore). See 
> https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html 
> for more info on how to configure it.
>
> >Basically, it uses a config file to present a collection of keystores 
> as one logical keystore.
>
> >Currently there is no way to specify the configuration file as a 
> system property, so you would have to write a custom TrustManagerFactory.
>
> >I would try seeing if this solution is workable and we can think 
> about whether adding a system property for the config file is 
> something that would be useful.
>
> >--Sean
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20251002/d17144bb/attachment-0001.htm>