I was troubleshooting an SSLHandshakeException on my Apache Tomcat server when I noticed some very weird behaviors of the JDK truststore (<jdk-root>/lib/security/cacerts
) on the server.
Across all the many JDKs installed on the server (multiple major and minor versions) wherever I look at a truststore under a specific installation it is completely identical to all the others.
Additionally if I import a new certificate using this command keytool -import -trustcacerts -alias <somealias> -file <somecertificate>.cer -keystore <jdk-root>/lib/security/cacerts -storepass <password>
this newly imported certificate is immediately also included in all other truststores under different JDK installations. No restart of the JVM is necessary for the running tomcat applications to use this newly imported certificate either.
Both the automatic reload and shared truststore is in stark contrast to what I experience in my local dev environment, which is why I'm puzzled by this.
Can someone point me in the direction of what is going on here?
CodePudding user response:
Because "cacerts" is a symbolic link on your server. Check it with ls -la <jdk-root>/lib/security/