Posts java jssecacerts

java jssecacerts

TrustManagerFactory uses the following steps to try to find trust material:

system property


java-home/lib/security/cacerts (shipped by default)

This basically means that if we want to include any custom proxy or internal certs.

We should put it in a new keystore file called “jssecacerts” make sure the password is “changeit”.

Then automatically the java program will pick up the certs and use them for HTTPS or client certs based connections.

This is the most common solution for java PKIX SSL error

If you do not wish to put the jssecacerts in lib/security you can place it anywhere else and then pass the information as system parameter to JVM.

This can be directly passed to java by:

$ java<PATH>/jssecacerts

or via JAVA_OPTS

$ JAVA_OPTS=$JAVA_OPTS<PATH>/jssecacerts

You need not set password as “changeit” when using the system parameter approach, rather use complex password.

This post is licensed under CC BY 4.0 by the author.