Is there a way to load a different cacerts than the one specified in the java_home/jre/lib/security folder?

I have a single installation of java in a system that runs 2 or 3 applications.

All the applications use the same runtime.

Is there a way to specify a different keystores for t开发者_运维问答he ca certs than the one in java_home/jre/lib/security. That is, is there an option to specify an "extra" keystore that is loaded and added to the certs loaded from java_home/jre/lib/security/cacerts?

What I want to avoid is having to re-import our local ca every time I upgrade the jdk in the box.

I think you want to specify the truststore:

java -Djavax.net.ssl.trustStore=/home/gene/mycacerts ...

Or if you are using certs through JSSE (you probably are), you can copy your truststore to jssecacerts in the $JAVA_HOME/jre/lib/security/ directory (although you'd still have to do that each time a JDK got installed/reinstalled). Sun's JSSE looks for $JAVA_HOME/jre/lib/security/jssecacerts before $JAVA_HOME/jre/lib/security/cacerts.

See http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager

These both jvm options are used to locate custom truststore and their password.

java -Djavax.net.ssl.trustStore=custompath/cacerts -Djavax.net.ssl.trustStorePassword=changeit

In order to make sure what trustStore is being loaded by the application, add following argument as well,

-Djavax.net.debug=ssl:handshake

If your JVM contains more than one application then by default all the applications will use the default cacerts store which is in $JAVA_HOME/jre/lib/security/ location . But if you want the applications should use different cert store then you have to define the custom cert store and point to that. In this way you can create your own certstore. System.setProperty("javax.net.ssl.trustStore", "C:/certStore/cusomtcacerts");-- Use this line before creating the http/https session. You can import the certificates to the cusomtcacerts by using keytool also.

According to this:

Java SSE Referece Guide - Customization

You could use the system property:

javax.net.ssl.keyStore

Like:

java -Djavax.net.ssl.keyStore=youkeystore YourProgram

But!! I have never tried. Let me know if it works would you?