Runtime java cacerts generation

Matthias Klose doko at
Thu Apr 15 07:58:44 PDT 2010

On 15.04.2010 16:28, Michal Vyskocil wrote:
> Hi all,
> my brave colleague from security team is working on redesign of a certificates
> system in SUSE[1]. For programs like Java requires an own format he wants to
> be able to generate the new file after installation. The current approach
> calling keytool for each certificate file is very slow and unusable. Each run
> of keytool requires a start of whole JVM, which is not optimal for one small
> file.

you don't need to do it this way; have a look at the ca-certificates-java 
package file in Ubuntu: the certificates available in the ca-certificates 
package are pregenerated at build time, and just added at installation time. 
Runtime is below 1sec iirc for the installation.

A more interesting question would be the handling of private certificates; it 
currently works in Ubuntu, but you have to store the keystore password on disk 
for handling the cacerts file. It would be nice to be able to read more than one 


More information about the distro-pkg-dev mailing list