146

I am looking on how how to obtain the location of cacerts of the default java installation, when you do not have JAVA_HOME or JRE_HOME defined.

I need a solution that works at least for OS X and Linux.

Yes. java -v is assumed to work :)

Improve this question
0

9 Answers 9

Reset to default
244

Under Linux, to find the location of $JAVA_HOME:

readlink -f /usr/bin/java | sed "s:bin/java::"

the cacerts are under lib/security/cacerts:

$(readlink -f /usr/bin/java | sed "s:bin/java::")lib/security/cacerts

Under mac OS X , to find $JAVA_HOME run:

/usr/libexec/java_home

the cacerts are under Home/lib/security/cacerts:

$(/usr/libexec/java_home)/lib/security/cacerts

UPDATE: JDK 8 (or prior)

The code above was tested on a computer with a JRE installed. When using a JDK for Java 8 (or prior), as pR0Ps said, it's at

$(/usr/libexec/java_home)/jre/lib/security/cacerts

For Java 9 and above, both JRE and JDK use $(/usr/libexec/java_home)/lib/security/cacerts.

Improve this answer
11
  • 9
    In OS X, the "official" way to find JAVA_HOME is running /usr/libexec/java_home
    – Daniel Serodio
    Commented May 28, 2013 at 16:43
  • 3
    @DanielSerodio, agreed. /usr/libexec/java_home gives me a different answer from the readlink-based command above, and the former seems to be correct, in that it contains the cacerts file.
    – Andrew Ferrier
    Commented Mar 10, 2014 at 15:32
  • 1
    @DanielSerodio and AndrewFerrier thanks guys, answer updated.
    – Kuf
    Commented Mar 10, 2014 at 15:51
  • 1
    @Kuf My JDK does not have this lib/security folder on Mac Yosemite. I am positive that i am in the right $JAVA_HOME
    – Brian
    Commented Feb 3, 2016 at 17:54
  • 1
    On OSX 10.10.5 the security folder is under: Home/jre/lib/security
    – Sid Sarasvati
    Commented Mar 23, 2016 at 15:24
55

As of OS X 10.10.1 (Yosemite), the location of the cacerts file has been changed to

$(/usr/libexec/java_home)/jre/lib/security/cacerts
Improve this answer
17

For Java 9 onwards, it's in

${JAVA_HOME}/lib/security/cacerts

as opposed to the usual

${JAVA_HOME}/jre/lib/security/cacerts

Improve this answer
16

If you need to access those certs programmatically it is best to not use the file at all, but access it via the trust manager. The following code is from a OpenJDK Test case (which makes sure the built cacerts collection is not empty):

TrustManagerFactory trustManagerFactory =
    TrustManagerFactory.getInstance("PKIX");
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers =
    trustManagerFactory.getTrustManagers();
X509TrustManager trustManager =
    (X509TrustManager) trustManagers[0];
X509Certificate[] acceptedIssuers =
    trustManager.getAcceptedIssuers();

So you don’t have to deal with file location or keystore password.

Improve this answer
5
  • 1
    This is not reading the certificate installed in cacerts. i am able to if using file path and password
    – Somnath Singh
    Commented Sep 21, 2020 at 14:45
  • Yup @SomnathSingh is correct, this is definitely not reading the root cacerts. I have no idea what this is actually reading though.
    – Hunter Jackson
    Commented Jan 29, 2021 at 17:51
  • 1
    It reads the cacerts file in the same way the JDK implementation is using the default implementation.
    – eckes
    Commented Jan 29, 2021 at 19:58
  • Nice pointer, but I do not see how above code reveals the location of the cacerts file? It accesses the content, which is good to know, but does not answer the OP question. Or am I missing something?
    – mgaert
    Commented Aug 10, 2022 at 9:20
  • 1
    Yes the answer reads "not use the file at all"
    – eckes
    Commented Aug 10, 2022 at 15:21
12

In MacOS Mojave, the location is:

/Library/Java/JavaVirtualMachines/jdk1.8.0_192.jdk/Contents/Home/jre/lib/security/cacerts

If using sdkman to manage java versions, the cacerts is in

~/.sdkman/candidates/java/current/jre/lib/security
Improve this answer
1
  • 2
    NOTE: For current versions of sdkman w/ JDK 11, the location is ~/.sdkman/candidates/java/current/lib/security
    – Snekse
    Commented Jan 30, 2020 at 20:08
7

In High Sierra, the cacerts is located at : /Library/Java/JavaVirtualMachines/jdk1.8.0_25.jdk/Contents/Home/jre/lib/security/cacerts

Improve this answer
3

In Ubuntu 20.04.3 LTS, the cacerts is located at: /etc/ssl/certs/java/cacerts

$ java --version
openjdk 11.0.11 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.20.04, mixed mode, sharing)

$ ls -lah /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts*
/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -> /etc/ssl/certs/java/cacerts
Improve this answer
1
  • 2
    This is also true in 22.04
    – Bob
    Commented Jul 8, 2022 at 4:14
1

You can also consult readlink -f "`which java`". However it might not work for all binary wrappers. It is most likely better to actually start a Java class.

Improve this answer
0

for my Mac running MacOS Sonomoa 14.3.1, JDK8 installed from homebrew:

/usr/local/Cellar/openjdk@8/1.8.0-382_1/libexec/openjdk.jdk/Contents/Home/jre/lib/security/cacerts
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.