检索并使用Microsoft或Mozilla的Root-CA列表并在Java中使用它？

Question

The list of included root-CA certificates in OpenJDK for Windows is quite impressive but there are a lot of root-CA certificates that are trusted by common browsers like Firefox that are not trusted by Java.

Both Microsoft and Mozilla publish their current list of root-CA certificates but the used file format seems to be proprietary.

The curl project has an automatic converter that uses the Mozilla file as source, however this converter ( mk-ca-bundle ) is a Perl script.

Is there a way to read one of these lists with plain Java so that it can be used as trust store afterwards?

Answer 1

OpenJDK describes how they build the cacerts file in the Security files for OpenJDK repo . The script downloads the certificates from Mozilla:

wget https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt .

As per the repo instructions you could build your own cacerts file that will trust another list of certificates of your own choosing:

1. Download the following Perl script: https://raw.githubusercontent.com/curl/curl/master/lib/mk-ca-bundle.pl

2. Download the following Java application: https://github.com/use-sparingly/keyutil/releases/download/0.4.0/keyutil-0.4.0.jar (source available at https://github.com/use-sparingly/keyutil )

3. Run the provided GenerateCertsFile.sh script with: bash ./GenerateCertsFile.sh - this will use the above files assuming they're located in the same directory as the script

4. Use the cacerts provided: it must be in the jdk/jre/lib/security or jdk/lib/securityfolder