Yes cacerts is still in the JKS format but that might change given the additional features and extensibility offered by PKCS12 keystores.
Also, since the cacerts keystore contains only root CA certs its certs could be handled differently. For example, the certs could be stored unencrypted and/or separately from the regular certs. This would allow passwordless access but at the cost of interoperability. On 6 Mar 2015, at 14:00, Wang Weijun <weijun.w...@oracle.com> wrote: > >> 在 2015年3月6日,19:49,Vincent Ryan <vincent.x.r...@oracle.com> 写道: >> >> If it helps then the PKCS12 implementation could be modified to use the >> empty password (“”) >> when a null password is supplied. > > I'm not suggesting this. It's just the behavior change might break some > existing codes. When I try to export a cert, I never provide any password. > > Also, cacerts is still in JKS now, right? Are we going to make it pkcs12? And > if so what will the password be? > > --Max
