How support multiple TrustStores in java SSL client application

Question

In our java application we need to communicate with a list of servers on SSL using https protocol. The list of servers to communicate will change at runtime. Initially we do

Answer 1

This question is so old that I have my doubts my bit will help anyone but here goes...

If you want to solve the OP's (original poster) problem without resorting to code changes you can configure your JVM (I only tested with Tomcat) to support the OP's desired config:

1. leave the 'packaged' JDK cacerts file alone
2. import your certs into a separate file and have your JAVA apps 'trust' them

I used to just import my additional cert into a separate file and then reference it in my JVM startup with the parameter -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/jssecacerts with great success but I guess the recent (somewhat) JAVA security problems changed an automated inclusion of the cacerts file distributed with the SDK.

So I found a nifty solution using intel from this post and the these pages (with some minor changes):

• http://www.coderanch.com/t/529157/Tomcat/Configure-Tomcat-trust-store-cacerts
• http://andyarismendi.blogspot.com/2012/01/changing-tomcats-ca-trust-keystore-file.html

What I used to do:

• set the JVM trustStore parameter to my separate keystore file (that I'd import additional certs into) as follows

What I do Now:

• Set the trustStore parameter to the 'packaged' cacerts file
• Set the keyStore parameter to my 'additional certs' file
• Set the keyStorePassword parameter to my keyStore's password (default is changeit)

What it looks like:

-Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts \
-Djavax.net.ssl.keyStore=$JAVA_HOME/jre/lib/security/jssecacerts \
-Djavax.net.ssl.keyStorePassword="changeit" \

Hope this is helpful to someone. I'm not 100% that you need to specify the keyStore password since you don't with the trustStore, but it works when you do.