Why does java have both the cacerts and jssecacerts files?

java ssl jsse truststore

hooknc · Apr 18, 2011 · Viewed 53.6k times · Source

I'm seriously confused on the differences between cacerts and jssecacerts files.

I know that by default java looks for the jssecacerts file and then the cacerts file.

But what is the point of the jssecacerts file?

My understanding is that if a new truststore needs to be used then a copy of cacerts should be made and all new trusted CAs should be added to that copy. The copy of cacerts (with the new CAs) should then be referenced by the -Djavax.net.ssl.trustStore system property. That way other java applications that run on that machine won't accidently trust non-default CAs.

Answer

From Java™ Secure Socket Extension (JSSE) Reference Guide, TrustManagerFactory uses the following steps to try to find trust material:

system property javax.net.ssl.trustStore
java-home/lib/security/jssecacerts
java-home/lib/security/cacerts (shipped by default)

I think this is based on convention over configuration concept. Without extra coding effort, cacert will be used. For extra private CA/Signing certs, a developer either can use first or second way, where former may just contain a particular cert but later contains a list of certs.

Why does java have both the cacerts and jssecacerts files?

Answer

Related questions