How SSL certficates are loaded into (or removed from) the memory of a Java process

Question

First of all, I must say I'm not a Java developer but a sys admin.

I thought when a Java process is launched with no javax.net.ssl.trustStore and javax.net.ssl.keyStore properties, the certificates in its $JAVA_HOME/jre/lib/security/cacerts always are loaded and used.

But I have found that one JBoss war loads another keystore and ignore the certificates in the default cacerts.

The problem was a PKIX typical error message

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

but I was sure the certificate needed was in the default cacerts.

I had to put the property javax.net.debug=all to shed some light on this issue and found that another keystore was loaded -- one having an old expired certificate, and which I didn't know.

After adding the valid certificate on the second keystore, the PKIX error message disappeared.

Then, how SSL certificates are dealed in a Java process?

When a new keystore is loaded, previously loaded certificates are deleted from memory?

Best regards

Answer 1

No, when a new keystore is loaded, previously loaded certificates are not replaced/discarded by default.

Internally Java handles keystores like you open a document in Word: You can open/load a keystore, retrieve certificates, delete certificates, add new certificates and of course save the whole keystore after modifying it.

When performing an HTTPS call you can specify a TrustManager and this TrustManager holds a references to loaded keystores. As it is simply to just replace the default keystore by the custom keystore then Java will consider only the custom keystore.

You could also use both keystore, the default Java one and the custom one as shown in this answer (uses two TrustManager instances that are chained).

Alternatively the developer could modify the loaded keystore in memory and add the certificates from the Java default store.

As you can see it is up to the developer how a Java program handles this situation.