I have a single installation of java in a system that runs 2 or 3 applications.
All the applications use the same runtime.
Is there a way to specify a different keystores for the ca certs than the one in java_home/jre/lib/security. That is, is there an option to specify an "extra" keystore that is loaded and added to the certs loaded from java_home/jre/lib/security/cacerts?
What I want to avoid is having to re-import our local ca every time I upgrade the jdk in the box.
According to this:
Java SSE Referece Guide - Customization
You could use the system property:
javax.net.ssl.keyStore
Like:
java -Djavax.net.ssl.keyStore=youkeystore YourProgram
But!! I have never tried. Let me know if it works would you?
I think you want to specify the truststore:
java -Djavax.net.ssl.trustStore=/home/gene/mycacerts ...
Or if you are using certs through JSSE (you probably are), you can copy your truststore to jssecacerts in the $JAVA_HOME/jre/lib/security/ directory (although you'd still have to do that each time a JDK got installed/reinstalled). Sun's JSSE looks for $JAVA_HOME/jre/lib/security/jssecacerts before $JAVA_HOME/jre/lib/security/cacerts.
See http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager