Home/ Questions/Q 7070405
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T05:33:45+00:00

We had been using java standard keystore ( $JAVA_HOME/jre/lib/security/cacerts ) as the trusted store

  • 0

We had been using java standard keystore ($JAVA_HOME/jre/lib/security/cacerts) as the trusted store for tomcat. And that tomcat server would communicate with some other server. A recent OS(AIX) upgrade apparently over-wrote the file at $JAVA_HOME/jre/lib/security/cacerts and that resulted in lost certificates and lot of issues with application hosted in tomcat.

Looking at this is it a bad practice to relay up on $JAVA_HOME/jre/lib/security/cacerts ?
What are the alternate (better|standard) ways to tackle this scenario?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In terms of what is in the cacerts file, it’s not necessarily worse practice than relying on the default CA certificates installed in your OS or your browser, but that doesn’t mean it’s great.

    Sun/Oracle have a little “important note” somewhere in the middle of the JSSE Reference Guide about this:

    IMPORTANT NOTE: The JDK ships with a limited number of trusted root
    certificates in the /lib/security/cacerts file. As
    documented in keytool, it is your responsibility to maintain (that is,
    add/remove) the certificates contained in this file if you use this
    file as a truststore.

    Depending on the certificate configuration of the servers you contact,
    you may need to add additional root certificate(s). Obtain the needed
    specific root certificate(s) from the appropriate vendor.

    In terms of configuration, for specific applications where I’ve had to install “local” CA certificates, I find it more stable to use a local trust store (for example, specified with javax.net.ssl.trustStore).

    • 0