Is there any function which tells me what's the current truststore being used in my program. On windows, the default trust store is at JAVA_HOME\lib\security\cacerts.
However, the default can be changed in a variety of ways.
Using -Djavax.net.ssl.keyStore
in the command line
Using Keystore
class.
If the program is running on an App Server under which the application runs may set the store path through it's panel.
If the program is running on Tomcat, then Tomcat settings may change the truststore.
and many other ways.
Is there a programmatic way by which I can find out the disk path of the truststore which is currently active?
Generally speaking, you can't (this is quite similar to this question).
In the JSSE API, trusting a certificate isn't actually determined by a trust store, but by a TrustManager
. Whilst it's often initialised with a keystore (the truststore), this is not necessary. In addition, the keystores themselves don't have to be files. There is nothing in the default trust manager API that lets you check where and how a potential trust store was used.
There isn't even anything in the SSLSocket
that lets you get back to its SSLSocketFactory
, and nothing there that lets you get back to its originating SSLContext
, and nothing there that lets you get the trust managers.
Which truststore/trust manager is currently active also depends very much on the application. Nothing tells you in general that the connections an application is making are using the default SSLContext
, which can be initialised by the javax.net.ssl.*
system properties. Applications are free to initialise their own SSLContext
s to create their sockets (this is what Tomcat do for its connectors when you specify certain values).
Since Java 6, the default (current) SSLContext
can also be changed globally (via SSLContext.setDefault(...)
.
You can find what's being used by default from the JSSE Reference Guide. The rest will depend on the documentation of each application. Using -Djavax.net.debug=SSL,trustmanager
may help if you need, but this isn't API access.
(By the way, -Djavax.net.ssl.keyStore
will set up the keystore for the default key manager, not the trust store.)