On 10/08/2014 01:57 AM, Wang Weijun wrote:
On Oct 8, 2014, at 16:01, Xuelei Fan <[email protected]> wrote:
It looks strange to me now that this keytool command cannot specify the
customized trusted anchor sources. Normally, the key store of the trust
anchor should be customizable so that users can use the trust anchor
other than the cacerts key store. For example, in JSSE, application is
able to use key store other than cacerts as the trust store; in PKIX
certification path building and validation, application is also able to
specify the trust store.
It will be ugly if we add too many options for keytool. I'll think about
creating some new system properties.
I agree that we should not read jssecacerts by default. My vote would be
to extend -trustcacerts to take an optional path to a cacerts file but
fallback on lib/security/cacerts if not specified. This enhancement
could then be useful for more than just jssecacerts. For example, in my
JavaOne presentation, I gave an example of creating a Domain KeyStore
that encompasses two root stores:
https://blogs.oracle.com/mullan/resource/J1-2014-CON5778.pdf
(see slides 34-35)
--Sean
