Runtime java cacerts generation
mvyskocil at suse.cz
Thu Apr 15 07:28:07 PDT 2010
my brave colleague from security team is working on redesign of a certificates
system in SUSE. For programs like Java requires an own format he wants to
be able to generate the new file after installation. The current approach
calling keytool for each certificate file is very slow and unusable. Each run
of keytool requires a start of whole JVM, which is not optimal for one small
The keytool.java is able to run over the directory, reads all pem files
from it and generate cacerts file in one run, which makes it very quick:
$ time java keystore -keystore cacerts -cadir /usr/share/ca-
certificates/mozilla/ -storepass 'changeit' -f
121 added, 0 removed.
and this can be called from %post of package after certificates update. I
tested the final cacerts using Pavel's TestHttps .
So your comments and thoughts are welcome.
BTW: it can be build using gcj and run under gij, but I did not test the gcc-
java created cacerts under openjdk.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20100415/a24a66b5/attachment.bin
More information about the distro-pkg-dev