On 10/8/2014 3:33 PM, Wang Weijun wrote: > > On Oct 8, 2014, at 12:25, Xuelei Fan <xuelei....@oracle.com> wrote: > >> On 10/8/2014 12:21 PM, Wang Weijun wrote: >>> There are two keystores here. -keystore points to user's keystore that >>> keytool will save into. cacerts is a read-only keystore that is used to >>> find trusted certs. >> Got it. >> >> Is it possible to add an optional argument for the "-trustcacerts" >> option? If no argument, use the cacerts; otherwise, use the specified >> value. > > Every keytool option either has an argument or not, so it you'd like it > specified on the command line, a new option should be invented. > > Do you happen to know there are other cases where a user want to customize > the location of cacerts? > It looks strange to me now that this keytool command cannot specify the customized trusted anchor sources. Normally, the key store of the trust anchor should be customizable so that users can use the trust anchor other than the cacerts key store. For example, in JSSE, application is able to use key store other than cacerts as the trust store; in PKIX certification path building and validation, application is also able to specify the trust store.
Xuelei > Thanks > Max > >> >> Xuelei >
