Impacts of changing Java default truststore password

Question

I recently had to add my corporate root CA (based on AD CS) into the JRE default truststore (the $JAVA_HOME/lib/security/cacerts file). I then discovered (as I am new to this) that the default password is changeit.

I found various posts explaining how to change it but there are two questions I can't find answers to:

1. Is keeping the default password a security risk? I guess an attacker could then import compromised certificates so clients trust them
2. What are the impacts of changing this truststore password? I also guess the JRE can look for root CA inside because it knows the default password. Once changed, will it have to be provided somewhere (config file, ...)?

We mainly use Java on Windows for websites which have applets, so we don't start anything from the command line (on which I know the password can be provided).

Answer 1

Regarding your second question, there are system properties to specify passwords for default trust store and default key store. The one for the trust store is: javax.net.ssl.trustStorePassword

I found that information at https://stackoverflow.com/a/5871352/5629418

If the attacker can read your Java system properties, either in a config file or by running a Java program, then changing the password will be mostly futile though.

Answer 2

Regarding your second question: "What are the impacts of changing this truststore password?"

One of the implications of changing of that password is that the memory bits holding the new password value is better to allocate and to store somewhere for their following retrievals, provisions for the corresponding accesses. And if that password is not stored, it is better to have a procedure about how to restore it then.

That article contains the code for changing such password:

thetechawesomeness.ideasmatter.info