Interesting that I am able to accomplish all this with just a keystore.... my cacerts would not be loaded, I s'pose, on startup (and I know it is not) because my $JAVA_HOME is the jdk root perhaps..... I am 99% sure I determined the keystore (not truststore) search mechanism by walking thru the jdk code in a debugger. So there may be some legacy stuff in there.
On Thu, Mar 11, 2010 at 6:29 AM, Marvin Addison <[email protected]> wrote: >> AFAIK, the cacerts file at that location is never consulted by >> default... the default keystore location is $HOME/.keystore > > This is incorrect. > http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html > indicates the search order is as follows: > > 1. Location specified by javax.net.ssl.trustStore system property > 2. $JRE_HOME/lib/security/jssecacerts > 3. $JRE_HOME/lib/security/cacerts > > In a default install, only cacerts exists and contains the usual > suspects (Thawte, Verisign, etc). Note we care about truststores in > this case since it's the remote certificate check that is failing. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- Jon Gorrono PGP Key: 0x5434509D - http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} Thawte Notary - https{www.thawte.com/cgi/personal/wot/directory.exe?node=312} GSWoT Introducer - {GSWoT:US75 5434509D Jon P. Gorrono <jpgorrono - gswot.org>} http{ats.ucdavis.edu} -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
