TrustManagerFactory uses the following steps to try to find trust material:
system property javax.net.ssl.trustStore
java-home/lib/security/jssecacerts
java-home/lib/security/cacerts (shipped by default)
This basically means that if we want to include any custom proxy or internal certs.
We should put it in a new keystore file called “jssecacerts” make sure the password is “changeit”.
Then automatically the java program will pick up the certs and use them for HTTPS or client certs based connections.
This is the most common solution for java PKIX SSL error
If you do not wish to put the jssecacerts in lib/security you can place it anywhere else and then pass the information as system parameter to JVM.
This can be directly passed to java by:
1
$ java -Djavax.net.ssl.trustStore=/<PATH>/jssecacerts -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=changeit
or via JAVA_OPTS
1
$ JAVA_OPTS=$JAVA_OPTS -Djavax.net.ssl.trustStore=/<PATH>/jssecacerts -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=changeit
You need not set password as “changeit” when using the system parameter approach, rather use complex password.