
<!DOCTYPE html><html><head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body>

    <p><br>

    </p>

    <div class="moz-cite-prefix">On 10/2/25 8:31 AM, Baesken, Matthias

      wrote:<br>

    </div>

    <blockquote type="cite" cite="mid:DU2PR02MB1025826C3A0315697B198A44C93E7A@DU2PR02MB10258.eurprd02.prod.outlook.com">

      

      <meta name="Generator" content="Microsoft Word 15 (filtered medium)">

      <style>@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face

        {font-family:Aptos;}@font-face

        {font-family:Consolas;

        panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0cm;

        font-size:11.0pt;

        font-family:"Aptos",sans-serif;

        mso-ligatures:standardcontextual;

        mso-fareast-language:EN-US;}a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:#467886;

        text-decoration:underline;}span.EmailStyle20

        {mso-style-type:personal-reply;

        font-family:"Aptos",sans-serif;

        color:windowtext;}.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;

        mso-ligatures:none;}div.WordSection1

        {page:WordSection1;}</style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

      <div class="WordSection1">

        <p class="MsoNormal">Hi Sean, what you propose sounds really

          good.</p>

        <p class="MsoNormal">The DKSTest  I found<o:p></o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal"><a href="https://github.com/openjdk/jdk/blob/8be16160d2a6275ff619ea4cebb725475c646052/test/jdk/sun/security/provider/KeyStore/DKSTest.java#L111" moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/openjdk/jdk/blob/8be16160d2a6275ff619ea4cebb725475c646052/test/jdk/sun/security/provider/KeyStore/DKSTest.java#L111</a><o:p></o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal">mentions also ‘system’  , is this the

           system (OS ,  e.g. Windows) – keystore or the cacert ?</p>

      </div>

    </blockquote>

    <p>No, that's just the name of the domain in the config file:

<a class="moz-txt-link-freetext" href="https://github.com/openjdk/jdk/blob/8be16160d2a6275ff619ea4cebb725475c646052/test/jdk/sun/security/provider/KeyStore/domains.cfg">https://github.com/openjdk/jdk/blob/8be16160d2a6275ff619ea4cebb725475c646052/test/jdk/sun/security/provider/KeyStore/domains.cfg</a></p>

    <p>See also the constructor which explains the URI parameter:

<a class="moz-txt-link-freetext" href="https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html#%3Cinit%3E(java.net.URI,java.util.Map)">https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html#%3Cinit%3E(java.net.URI,java.util.Map)</a><br>

      <br>

      --Sean</p>

    <blockquote type="cite" cite="mid:DU2PR02MB1025826C3A0315697B198A44C93E7A@DU2PR02MB10258.eurprd02.prod.outlook.com">

      <div class="WordSection1">

        <p class="MsoNormal"><o:p></o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal">The documentation at<o:p></o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal"><a href="https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html" moz-do-not-send="true" class="moz-txt-link-freetext">https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html</a><o:p></o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal">mentions ‘system’   as  keystore

          system-truststore  but there it is pointing to 

            keystoreURI="${java.home}/lib/security/cacerts";<o:p></o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal">Best regards, Matthias<o:p></o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p class="MsoNormal"><o:p> </o:p></p>

        <p>>Hi,<span style="font-size:12.0pt;mso-ligatures:none;mso-fareast-language:#2000"><o:p></o:p></span></p>

        <p>>There is already a feature in the JDK that is close to

          what you are looking for. There is a KeyStore type called

          "DKS" (called the DomainKeyStore). See

          <a href="https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html" moz-do-not-send="true" class="moz-txt-link-freetext">

https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html</a>

          for more info on how to configure it.<br>

          <br>

          >Basically, it uses a config file to present a collection

          of keystores as one logical keystore.<br>

          <br>

          >Currently there is no way to specify the configuration

          file as a system property, so you would have to write a custom

          TrustManagerFactory.<o:p></o:p></p>

        <p>>I would try seeing if this solution is workable and we

          can think about whether adding a system property for the

          config file is something that would be useful.<br>

          <br>

          >--Sean<o:p></o:p></p>

        <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

          <p class="MsoNormal"><o:p> </o:p></p>

        </blockquote>

      </div>

    </blockquote>

  </body>

</html>