Runtime java cacerts generation

Michal Vyskocil mvyskocil at
Thu Apr 15 07:28:07 PDT 2010

Hi all,

my brave colleague from security team is working on redesign of a certificates 
system in SUSE[1]. For programs like Java requires an own format he wants to 
be able to generate the new file after installation. The current approach 
calling keytool for each certificate file is very slow and unusable. Each run 
of keytool requires a start of whole JVM, which is not optimal for one small 

The[2] is able to run over the directory, reads all pem files 
from it and generate cacerts file in one run, which makes it very quick:

$ time java keystore -keystore cacerts -cadir /usr/share/ca-
certificates/mozilla/ -storepass 'changeit' -f
121 added, 0 removed.

real    0m0.852s
user    0m0.697s
sys     0m0.058s

and this can be called from %post of package after certificates update. I 
tested the final cacerts using Pavel's TestHttps [3].

So your comments and thoughts are welcome.

BTW: it can be build using gcj and run under gij, but I did not test the gcc-
java created cacerts under openjdk.


Michal Vyskocil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : 

More information about the distro-pkg-dev mailing list