Hi,
There is already a feature in the JDK that is close to what you are
looking for. There is a KeyStore type called "DKS" (called the
DomainKeyStore). See
https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/DomainLoadStoreParameter.html
for more info on how to configure it.
Basically, it uses a config file to present a collection of keystores as
one logical keystore.
Currently there is no way to specify the configuration file as a system
property, so you would have to write a custom TrustManagerFactory.
I would try seeing if this solution is workable and we can think about
whether adding a system property for the config file is something that
would be useful.
--Sean
On 10/1/25 9:14 AM, Baesken, Matthias wrote:
Hi , we were recently asked if it is possible to have in Java
something like a "union" of the Java certs and the system keystore.
Currently it seems only be possible to use one of them, e.g. a) use
the Java cacerts or b) switch fully to the system keystore (on
Windows, there seems to be -Djavax.net.ssl.trustStoreType=Windows-ROOT )
For a more detailed discussion see
https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/pull/929
<https://urldefense.com/v3/__https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/pull/929__;!!ACWV5N9M2RV99hQ!MZG04zXcn4IlpyOa_UDJl2-Fzb8aajztWecVbGgy74qgYbxtucZFIoV_fZpyk__sk3QIXQc7xqj3ZlRNAaE8Tm_Iz8I$>
*"What we would need is a union of both keystores, which is currently
not possible (neither is accessing the 'System Roots' nor is telling
the JVM to use a union of multiple stores)."*
and also
https://github.com/eclipse-packaging/packages/pull/224
<https://urldefense.com/v3/__https://github.com/eclipse-packaging/packages/pull/224__;!!ACWV5N9M2RV99hQ!MZG04zXcn4IlpyOa_UDJl2-Fzb8aajztWecVbGgy74qgYbxtucZFIoV_fZpyk__sk3QIXQc7xqj3ZlRNAaE8j4QB9Iw$>
Sean Coffey also pointed out that there is the option of implementing
an own 'TrustManagerFactory' implementation via addition of a
provider (currently, only the JSSE provider provides such
functionality by default. e.g. entry point to loading trusted certs
would be via this code:
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java#L48
<https://urldefense.com/v3/__https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java*L48__;Iw!!ACWV5N9M2RV99hQ!Pdqi9KrO5AO_y6ZznwdSXbEoDEQHWDkIys-OOLQmQl134sT8OK4RyzRqIXu3e8oEQF3tnVeGP1Tnju0HOYp5hiQwZos$>
).
So is there some plan to have such a "union" / merging directly in
the JDK ?
Or any hints how to handle this ?
(seems there are some people building a "union" / merged trustStore
with scripts but this looks a bit like a hack to me and will not work
for all users)
Best regards, Matthias
