Mac OS X has the CA keystore in /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts. This keystore seems to be overwritten by every Java update, which is very
[ This is outdated info - see the answer below for 10.6+ ]
/System/Library/Frameworks/JavaVM.framework/Home/
is a symlink to Versions/CurrentJDK/Home
within JavaVM.framework. Obviously this will change with a new Version. Use the full path (e.g. /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home
) and it won't change across updates.
The following parameters can be used to specify the location of the cacerts file to java:
-Djavax.net.ssl.trustStore=<cacerts.location>
-Djavax.net.ssl.trustStorePassword=changeit
Make a copy of the cacerts in the java home directory (with internal CAs) and put it somewhere in your home directory. Then put the full path to the cacerts file location as the value of javax.net.ssl.trustStore property above. That copy will not get overwritten by Java updates. The default password is 'changeit'.
Two downsides to this approach are:
It seems things have changed in Mac OS X 10.6.8 Snow Leopard. Now /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts
is a symlink to /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts
, which won't change on updates, if we're lucky.