How to preserve the CAcerts keystore on Mac across updates?

前端 未结 3 1862
失恋的感觉
失恋的感觉 2021-02-06 09:18

Mac OS X has the CA keystore in /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts. This keystore seems to be overwritten by every Java update, which is very

相关标签:
3条回答
  • 2021-02-06 09:30

    [ This is outdated info - see the answer below for 10.6+ ]

    /System/Library/Frameworks/JavaVM.framework/Home/ is a symlink to Versions/CurrentJDK/Home within JavaVM.framework. Obviously this will change with a new Version. Use the full path (e.g. /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home) and it won't change across updates.

    0 讨论(0)
  • 2021-02-06 09:48

    The following parameters can be used to specify the location of the cacerts file to java:

    -Djavax.net.ssl.trustStore=<cacerts.location>
    -Djavax.net.ssl.trustStorePassword=changeit
    

    Make a copy of the cacerts in the java home directory (with internal CAs) and put it somewhere in your home directory. Then put the full path to the cacerts file location as the value of javax.net.ssl.trustStore property above. That copy will not get overwritten by Java updates. The default password is 'changeit'.

    Two downsides to this approach are:

    • Your file won't get any updates to the cacerts file in the sdk. This is primarily an issue if a certificate authority is compromised.
    • Everywhere you need the custom cacerts (build tools, app server, etc), these parameters need to be specified.
    0 讨论(0)
  • 2021-02-06 09:52

    It seems things have changed in Mac OS X 10.6.8 Snow Leopard. Now /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts is a symlink to /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts, which won't change on updates, if we're lucky.

    0 讨论(0)
提交回复
热议问题