PKI Certificate Tutorials - Herong's Tutorial Examples

∟ca-certificates - Linux CA Certificate Package

∟What Is ca-certificates-java Package

This section describes the 'ca-certificates-java' package, which installs trusted root CA certificates in JKS format supporting Java applications.

What Is ca-certificates-java Package? "ca-certificates-java" is a software package that contains trusted root CA certificates in JKS (Java KeyStore) format provided by Mozilla Foundation.

"ca-certificates-java" is usually installed as part of OpenJDK packages on most Linux systems like Debian, Ubuntu, and Red Hat distributions. Root CA certificates stored in JKS (Java KeyStore) format installed from "ca-certificates-java" allow Java applications to verify remote server certificate and establish encrypted connections.

To ensure security, it is highly recommended to keep "ca-certificates-java" updated, as Mozilla Foundation periodically adds and removes CA certificates. You can run package update commands as shown below:

# on Ubuntu
herong$ sudo apt install ca-certificates-java  
...
ca-certificates-java is already the newest version ...

After installation, trusted root CA certificates will be stored in 2 places:

1. /etc/ssl/certs/java/cacerts - trusted root CA certificates in a JKS file for Java applications to use. It has a default password of "changeit".

herong$ ls -l /etc/ssl/certs/java/cacerts 

-rw-r--r-- 1 root root 157762 Dec 26 10:45 cacerts

2. /usr/share/ca-certificates-java/ca-certificates-java.jar - trusted root CA certificates as a JAR (Java ARchive) file for "update-ca-certificates" command to maintain the JKS file.

herong$ ls -l /usr/share/ca-certificates-java

-rw-r--r-- 1 root root 6352 May 17  2023 ca-certificates-java.jar

The JVM (Java Virtual Machine) will have a symbolic list to the root CA certificate JKS file:

herong$ echo $JAVA_HOME
/usr/lib/jvm/java-11-openjdk-amd64

herong$ ls -l $JAVA_HOME/lib/security/cacerts
lrwxrwxrwx 1 root root 27 May  9  2023 security/cacerts 
  -> /etc/ssl/certs/java/cacerts

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 Linux Trust Store for CA Certificates

►ca-certificates - Linux CA Certificate Package

 What Is ca-certificates Package

►What Is ca-certificates-java Package

 What Is ca-certificates-mono Package

 "update-ca-certificates" to Add CA Certificate

 "update-ca-certificates" to Disable CA Certificate

 "update-ca-certificates" vs "trust" on Debian/Ubuntu Computers

 update-ca-trust Command on Red Hat Computers

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

What Is ca-certificates-java Package - Updated in 2026, by Herong Yang