How to preserve the CAcerts keystore on Mac across updates?

Question

Mac OS X has the CA keystore in /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts. This keystore seems to be overwritten by every Java update, which is very

Answer 1

The following parameters can be used to specify the location of the cacerts file to java:

-Djavax.net.ssl.trustStore=
-Djavax.net.ssl.trustStorePassword=changeit

Make a copy of the cacerts in the java home directory (with internal CAs) and put it somewhere in your home directory. Then put the full path to the cacerts file location as the value of javax.net.ssl.trustStore property above. That copy will not get overwritten by Java updates. The default password is 'changeit'.

Two downsides to this approach are:

• Your file won't get any updates to the cacerts file in the sdk. This is primarily an issue if a certificate authority is compromised.
• Everywhere you need the custom cacerts (build tools, app server, etc), these parameters need to be specified.