Hi Following on from: https://bugs.openjdk.org/browse/JDK-8320362
It's now possible to get system roots on macOS devices in the truststore: KeychainStore-ROOT. That's quite useful. Unfortunately it doesn't cover everything though. In practice there's two issues I've found in trying to use it: 1. It is missing custom CA certificates, (which would have been included if Apple APIs - SecTrustCopyCustomAnchorCertificates were used, see discussion at https://github.com/openjdk/jdk/pull/16722#issuecomment-1948542783) 2. It is missing intermediate certificates which are required for custom CA certificates, (these are not included with SecTrustCopyCustomAnchorCertificates although the root CAs above are). The architecture at my company that is using ZScaler MiTM proxy is: Root CA -> Intermediate 1 -> Intermediate 2 -> Leaf Where: - All certs are in admin domain kSecTrustSettingsDomainAdmin - Root CA is marked as always trust - Intermediate 1 and 2 are Unspecified Not all certificates get re-signed by Zscaler, some URLs are bypassed. So I need to be able to trust both custom CAs and the predefined roots. I was thinking of creating a new truststore: KeychainStore-ALL. I think it could just reuse all the existing code, and work pretty seamlessly, (I have a separate patch for intermediate certs not working correctly - https://github.com/openjdk/jdk/pull/22911). It could be improved at the expense of more code to use the Apple APIs directly (SecTrustCopyCustomAnchorCertificates) and not read the keychain file. What do you think? Thanks Tim
