Set JRE to use Windows trust store, specifically the user's trust store

Bagheera picture Bagheera · Mar 8, 2018 · Viewed 17k times · Source

Summary: Java option -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT allows Java to use the Windows trust store for the computer account. What option allows it to use the Windows trust store for the user account?

We have a Java application that we run on our Windows clients. The application gets data from various sources, some of which use certificates that are not in the default cacerts file.

When a user selects an item that accesses the external data, they are prompted to download the external site's certificate. Due to our security settings, the cacerts file is read-only for users. Because JRE can't import the cert into cacerts, the external isn't downloaded. And the user is prompted over and over to download the cert.

When a user is given write access to cacerts, the issue doesn't occur. But our security team will not let us grant write access to that file to regular users. Their policy is that no files on the C: drive, outside the user's own profile, should be read-write.

We thought we found a workaround to make Java use the Windows trust store. We added the flag -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT to the startup script. This forced Java to use the Windows trust store, which users can write to.

Unfortunately, users can only write to their certificate store, not to the computer's certificate store. When we run the app as an administrator, the certificate is imported into the computer's store. After that, regular users are not prompted to download the cert. However, if we don't run it once with admin rights, the cert is not imported, because Java tries to write to the Windows computer account store, which is locked down just as tightly as cacerts.

Is there a flag to force Java to use the entire Windows trust store, not just the computer account's store?

Answer

dave_thompson_085 picture dave_thompson_085 · Mar 9, 2018

A keystore of type Windows-ROOT should work -- it should access the TrustedRootCAs portion (line in MMC/certmgr.msc, tab in inetopt.cpl) of the store for the current user. On my system, which is 8.1 Home with UAC at max, but not in a domain or workgroup and no policy changes (at least none I authorized), Java code is able to insert into Windows-ROOT -- BUT it does pop a dialog about "Warning: about to install CA cert blah blah this may be a security risk blah blah" which I have to click; if the process doesn't have access to the 'workstation' (display) I don't know what happens and it wouldn't surprise me if it fails. Confirmed with both my normal id (local,admin) and Guest (local,peon); as a standalone system I have no real computer account, only 'local machine' which IINM is actually LocalSystem, and the insert does NOT go there.

You could try instead Windows-MY which should and for me does access the Personal portion of the store for (again) the current user; for me that works WITHOUT the dialog described above. Personal is intended for certs with privatekeys that can be used to authenticate this machine/user to server(s) or recipient(s), and having in there a cert-only used to trust another system may confuse or even alarm your more knowledgeable users, but it does work for me.