Why does java have both the cacerts and jssecacerts files?
I'm seriously confused on the differences between cacerts and jssecacerts files.
I know that by default java looks for the jssecacerts file and then the cacerts file.
But what is the point of the jssecacerts file?
My understanding is that if a new truststore needs to be used then a copy of cacerts should be made and all new trusted CAs should be added to that copy. The copy of cacerts (with the new CAs) should then be referenced by the -Djavax.net.ssl.trustStore system property. That way other java applications that run on that machine won't accidently trust non-default CAs.
Solution 1:
From Java™ Secure Socket Extension (JSSE) Reference Guide, TrustManagerFactory uses the following steps to try to find trust material:
- system property
javax.net.ssl.trustStore java-home/lib/security/jssecacerts-
java-home/lib/security/cacerts(shipped by default)
I think this is based on convention over configuration concept. Without extra coding effort, cacert will be used. For extra private CA/Signing certs, a developer either can use first or second way, where former may just contain a particular cert but later contains a list of certs.
Solution 2:
As I understand it, the cacerts file is the shipped default one.
If there is a jssecacerts file it is used exclusively - not in addition to the cacerts file.
My recommendation: keep the cacerts file, copy to jssecacerts and add any private CA/Signing certs needed to the jssecacerts file.