57

I'm seriously confused on the differences between cacerts and jssecacerts files.

I know that by default java looks for the jssecacerts file and then the cacerts file.

But what is the point of the jssecacerts file?

My understanding is that if a new truststore needs to be used then a copy of cacerts should be made and all new trusted CAs should be added to that copy. The copy of cacerts (with the new CAs) should then be referenced by the -Djavax.net.ssl.trustStore system property. That way other java applications that run on that machine won't accidently trust non-default CAs.

Shashank Agrawal
  • 25,161
  • 11
  • 89
  • 121
hooknc
  • 4,854
  • 5
  • 31
  • 60
  • 1
    do you really find none of the 3 answers to be the correct one? Could you select the one you deem to be correct please? – JoeG Jul 13 '16 at 12:36

3 Answers3

45

From Java™ Secure Socket Extension (JSSE) Reference Guide, TrustManagerFactory uses the following steps to try to find trust material:

  1. system property javax.net.ssl.trustStore
  2. java-home/lib/security/jssecacerts
  3. java-home/lib/security/cacerts (shipped by default)

I think this is based on convention over configuration concept. Without extra coding effort, cacert will be used. For extra private CA/Signing certs, a developer either can use first or second way, where former may just contain a particular cert but later contains a list of certs.

Shashank Agrawal
  • 25,161
  • 11
  • 89
  • 121
Lee Chee Kiam
  • 11,450
  • 10
  • 65
  • 87
  • 13
    The point being once it finds 1, 2, or 3 it uses that exclusively, so jssecacerts would need to include ALL the certs if used. – JoeG Jul 13 '16 at 12:38
25

As I understand it, the cacerts file is the shipped default one.

If there is a jssecacerts file it is used exclusively - not in addition to the cacerts file.

My recommendation: keep the cacerts file, copy to jssecacerts and add any private CA/Signing certs needed to the jssecacerts file.

Shashank Agrawal
  • 25,161
  • 11
  • 89
  • 121
Chris
  • 259
  • 2
  • 2
  • 1
    Thanks for this, I too found that having a CA in cacerts doesn't work if a jssecacerts file exists, and it needs to be added to jssecacerts instead. – Damon Smith Jan 20 '14 at 02:38
  • 3
    @EJP You are not "clobber"ing the shipped jssecacerts file. There is no jssecacerts file shipped. By copying cacerts to jssecacerts Java will now use jssecacerts instead. Now you can add/remote certs from jssecacerts using `keytool` without worrying about changing the defaults (cacerts) that shipped with Java. Undoing any changes is as easy as removing jssecacerts from the directory. – Andrew Wynham Aug 13 '14 at 13:15
4

Good question. I think it arises from the historical fact that JSSE was once an add-on. JSSE does allow multiple providers, so maybe jssecacerts is only for the JSSE provider, and other providers might use their own.

But who used cacerts prior to JSSE is another question.

user207421
  • 305,947
  • 44
  • 307
  • 483