javax.net.ssl.trustStore Option Behaviour
Posted on March 10, 2021 (Last modified on March 17, 2025) • 2 min read • 336 wordsIn this tutorial we will test the behaviour of `javax.net.ssl.trustStore` option. The objective is to check whether `-Djavax.net.ssl.trustStore` option append or replace the default java keystore being used by java.
In this tutorial we will test the behaviour of javax.net.ssl.trustStore
option.
The objective is to check whether -Djavax.net.ssl.trustStore
option append or replace the default java keystore being used by java.
1.Install openjdk-8-jdk on Ubuntu 16.04
sudo apt-get install openjdk-8-jdk
2.Create <strong>HttpsUrlReader</strong>
app . Source code can be found in
this link.
3.Check connections without providing custom keystore (both will succeed)
java HttpsUrlReader https://icanhazip.com
java HttpsUrlReader https://helloworld.letsencrypt.org
4.Remove Let’s Encrypt Root certificates
sudo keytool -delete -alias debian:isrg_root_x1.pem -keystore /etc/ssl/certs/java/cacerts
sudo keytool -delete -alias debian:dst_root_ca_x3.pem -keystore /etc/ssl/certs/java/cacerts
Note:
To search alias we can list all certificates inside keystore using command below.
keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep Alias
5.Check connection without providing custom keystore (icanhazip.com will succeed, helloworld.letsencrypt.org will fail)
java HttpsUrlReader https://icanhazip.com
java HttpsUrlReader https://helloworld.letsencrypt.org
6.Download ISRG And DST / TrustID Root
wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/isrgrootx1.pem
wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/trustid-x3-root.pem
7.Add ISRG and DST root to new keystore named customKeystore
keytool -import -trustcacerts -alias debian:isrg_root_x1.pem -file isrgrootx1.pem -keystore customKeystore
keytool -import -trustcacerts -alias debian:dst_root_ca_x3.pem -file trustid-x3-root.pem -keystore customKeystore
new keystore <strong>customKeystore</strong>
will be created on current working directory.
8.Check connection using new <strong>customKeystore</strong>
. Let’s encrypt will success, icanhazip.com will fail
java -Djavax.net.ssl.trustStore=customKeystore -Djavax.net.debug=ssl HttpsUrlReader https://icanhazip.com
java -Djavax.net.ssl.trustStore=customKeystore HttpsUrlReader https://helloworld.letsencrypt.org
When we provide javax.net.ssl.trustStore
option to java application, the default keystore will not be used. The custom trust store passed by javax.net.ssl.trustStore
option replace the default keystore.