tomcat 将证书添加到信任库

Question

I have java web application deployed on kuberneties cluster and runs on tomcat (tomcat:9.0.37) container. my application connect with ABC API and in order to connect to ABC API i need to have ABC API certificate in my trust store. for my local testing i am able to use keytool command to add the certificate to my JRE cecart like below command keytool -importcert -alias startssl -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -storepass changeit -file ABC.cert but i want to know is this the only way to add cert to trust store or some other way i can add cert in trust store.

Answer 1

First, if you want to have a different default truststore for SSL/TLS than for other purposes, but still JRE-wide, you can use (JRE)/lib/security/jssecacerts instead of (JRE)/lib/security/cacerts . Unlike cacerts which is filled by the JRE package or platform with numerous common CAs, jssecacerts starts out empty; if you want any of the common CAs, you must add them explicitly, optionally by copying from cacerts one-by-one or just copying the whole cacerts file. I don't know if you will count this as 'other' or not.

Second, you can change the default truststore for a JVM instance with system properties javax.net.ssl.trustStore* ; see the documentation (a few pages into the second table, Table 8-3) and more specifically this subordinate section .

Third, for a specific connection (or sometimes groups of connections) within the JVM, you can specify a different truststore in the code that creates the connection; the method varies with different means of creating the connection, which you didn't identify. Using SSLSocket or SSLEngine directly is one thing; java.net.UrlConnection and java.net.http.HttpClient (in j11+) are different; middleware like Apache or many others are different again. Rather than spend hours trying to write all possible options, most of which would be wasted, I'll let you ask again if you want this. In the StackOverflow mantra, "show your code".