On 11/28/2017 12:01 PM, Markovich via FreeIPA-users wrote: Hi, in order to configure your truststore in a java application, you can either - launch the java app with -Djavax.net.ssl.trustStore=/path/to/keystore - define the value in the java code with System.setProperty("javax.net.ssl.trustStore", "/path/to/keystore") - if javax.net.ssl.trustStore is not defined, then java will look in $java-home/lib/security/jssecacerts or $java-home/lib/security/cacerts (see JSSE Reference Guide [1]). If you are using openJDK for instance, $java-home/lib/security/cacerts is a link to /etc/pki/java/cacerts. The default password is "changeit", and this keystore can be modified using update-ca-trust(8). I don't think that FreeIPA is relying on this file. For instance Dogtag (the CA component) is running inside Tomcat and is using /etc/pki/pki-tomcat/alias which is a NSS database. Flo [1] https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSE...