Re: OS & JVM keystores

Wed, 01 Oct 2025 11:52:29 -0700

BTW I think there are a few Composite Trust Managers out there, I know that „sslcontect kickstart“ had one https://github.com/Hakky54/sslcontext-kickstart  

to that extend such a merging manager would be a good general component 

(but the idea of merging os and cacerts Sounds only good on the first look)


Gruß,
Bernd
-- 
https://bernd.eckenfels.net
Von: security-dev <security-dev-r...@openjdk.org> im Auftrag von Baesken, Matthias <matthias.baes...@sap.com>
Gesendet: Mittwoch, Oktober 1, 2025 3:16 PM
An: security-dev@openjdk.org <security-dev@openjdk.org>
Cc: Sean Mullan <sean.mul...@oracle.com>; Langer, Christoph <christoph.lan...@sap.com>; Seán Coffey <sean.cof...@oracle.com>
Betreff: OS & JVM keystores
 

Hi , we were recently asked if it is possible to have in Java something like a "union" of the Java certs and the system keystore.

 

Currently it seems only be possible to use one of them, e.g. a) use the Java cacerts or  b) switch fully to the system keystore (on Windows, there seems to be -Djavax.net.ssl.trustStoreType=Windows-ROOT )

 

For a more detailed discussion see

 

https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/pull/929

 

"What we would need is a union of both keystores, which is currently not possible (neither is accessing the 'System Roots' nor is telling the JVM to use a union of multiple stores)."

 

and also

https://github.com/eclipse-packaging/packages/pull/224

 

 

Sean Coffey also pointed out that there is the option of  implementing  an own 'TrustManagerFactory' implementation via addition of a provider  (currently, only the JSSE provider provides such functionality by default. e.g. entry point to loading trusted certs would be via this code: https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java#L48   ).

 

 

 So is there some plan to have such a "union" / merging directly in  the JDK  ?

Or any hints how to handle this ?

 

(seems there are some people building a "union" / merged trustStore with scripts but this looks a bit like a hack to me and will not work for all users)

 

 

Best regards, Matthias

 

Reply via email to