<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>Hi,</p>
<p>There is already a feature in the JDK that is close to what you
are looking for. There is a KeyStore type called "DKS" (called the
DomainKeyStore). See
<a class="moz-txt-link-freetext" href="https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html">https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html</a>
for more info on how to configure it.<br>
<br>
Basically, it uses a config file to present a collection of
keystores as one logical keystore.<br>
<br>
Currently there is no way to specify the configuration file as a
system property, so you would have to write a custom
TrustManagerFactory.</p>
<p>I would try seeing if this solution is workable and we can think
about whether adding a system property for the config file is
something that would be useful.<br>
<br>
--Sean</p>
<div class="moz-cite-prefix">On 10/1/25 9:14 AM, Baesken, Matthias
wrote:<br>
</div>
<blockquote type="cite" cite="mid:DU2PR02MB10258B3A343C4C404349F02B593E6A@DU2PR02MB10258.eurprd02.prod.outlook.com">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Aptos;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi , we were recently
asked if it is possible to have in Java something like a
"union" of the Java certs and the system keystore.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Currently it seems only
be possible to use one of them, e.g. a) use the Java cacerts
or b) switch fully to the system keystore (on Windows,
there seems to be
-Djavax.net.ssl.trustStoreType=Windows-ROOT )</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">For a more detailed
discussion see</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><a href="https://urldefense.com/v3/__https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/pull/929__;!!ACWV5N9M2RV99hQ!MZG04zXcn4IlpyOa_UDJl2-Fzb8aajztWecVbGgy74qgYbxtucZFIoV_fZpyk__sk3QIXQc7xqj3ZlRNAaE8Tm_Iz8I$" moz-do-not-send="true"><span lang="en-DE">https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/pull/929</span></a></span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b><span lang="EN-US">"What we would need
is a union of both keystores, which is currently not
possible (neither is accessing the 'System Roots' nor is
telling the JVM to use a union of multiple stores)."</span></b><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">and also</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><a href="https://urldefense.com/v3/__https://github.com/eclipse-packaging/packages/pull/224__;!!ACWV5N9M2RV99hQ!MZG04zXcn4IlpyOa_UDJl2-Fzb8aajztWecVbGgy74qgYbxtucZFIoV_fZpyk__sk3QIXQc7xqj3ZlRNAaE8j4QB9Iw$" moz-do-not-send="true">https://github.com/eclipse-packaging/packages/pull/224</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Sean Coffey also pointed
out that there is the option of
</span><span lang="en-DE">implementing an own
'TrustManagerFactory' implementation via addition of a
provider (currently, only the JSSE provider provides such
functionality by default. e.g. entry point to loading
trusted certs would be via this code:
<a href="https://urldefense.com/v3/__https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java*L48__;Iw!!ACWV5N9M2RV99hQ!Pdqi9KrO5AO_y6ZznwdSXbEoDEQHWDkIys-OOLQmQl134sT8OK4RyzRqIXu3e8oEQF3tnVeGP1Tnju0HOYp5hiQwZos$" moz-do-not-send="true">
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java#L48</a>
).</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US"> So is there some plan
to have such a "union" / merging directly in the JDK ?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Or any hints how to
handle this ?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">(seems there are some
people building a "union" / merged trustStore with scripts
but this looks a bit like a hack to me and will not work for
all users)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Best regards, Matthias</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-DE"><o:p> </o:p></span></p>
</div>
</blockquote>
</body>
</html>