Why does java have both the cacerts and jssecacerts files?
JavaSslJsseTruststoreJava Problem Overview
I'm seriously confused on the differences between cacerts
and jssecacerts
files.
I know that by default java looks for the jssecacerts
file and then the cacerts
file.
But what is the point of the jssecacerts
file?
My understanding is that if a new truststore needs to be used then a copy of cacerts
should be made and all new trusted CAs should be added to that copy. The copy of cacerts
(with the new CAs) should then be referenced by the -Djavax.net.ssl.trustStore
system property. That way other java applications that run on that machine won't accidently trust non-default CAs.
Java Solutions
Solution 1 - Java
From Java™ Secure Socket Extension (JSSE) Reference Guide, TrustManagerFactory
uses the following steps to try to find trust material:
- system property
javax.net.ssl.trustStore
java-home/lib/security/jssecacerts
java-home/lib/security/cacerts
(shipped by default)
I think this is based on convention over configuration concept. Without extra coding effort, cacert
will be used. For extra private CA/Signing certs, a developer either can use first or second way, where former may just contain a particular cert but later contains a list of certs.
Solution 2 - Java
As I understand it, the cacerts
file is the shipped default one.
If there is a jssecacerts
file it is used exclusively - not in addition to the cacerts
file.
My recommendation: keep the cacerts
file, copy to jssecacerts
and add any private CA/Signing certs needed to the jssecacerts
file.
Solution 3 - Java
Good question. I think it arises from the historical fact that JSSE was once an add-on. JSSE does allow multiple providers, so maybe jssecacerts
is only for the JSSE provider, and other providers might use their own.
But who used cacerts prior to JSSE is another question.