Every so often you run into an issue where you need to import a certificate signing authority's certificate into Java's cacerts certificate authority file. Oracle does a update the cacerts file every so often, but they never seam to be as up to date as a browser like FireFox.
Mozilla, the folks that make FireFox and other great internet software have a rigorous process for approving certificate signing authorities before allowing their software to trust the certificates they sign. Once a certificate has been approved it makes it way into the NSS (Network Security Services) libraries which is what FireFox and other software use to determine if they can trust a particular cert. The certificates can be found in the NSS source code: here.
Lots of linux /open source software uses Mozilla's list of certificate authorities, most notably is curl -- they have also built a nice utility to grab mozilla's source code and build a PEM file called mk-ca-bundle.
So we can use this utility to build a file that can replace the cacerts file that java ships with. We will use one additional utility called keyutil to convert the certificate file into a JKS (java keystore) file format. You could also potentially use openssl to convert the PEM file to PKCS12 and then import it using java's keytool executable.
Here's a shell script that builds the a java keystore out of the mozilla trusted certificate authority list.
#!/bin/sh curl -o certdata.txt 'https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt' perl mk-ca-bundle.pl -n > ca-bundle.crt java -jar keyutil-0.4.0.jar --import --new-keystore trustStore.jks --password changeit --import-pem-file ca-bundle.crt
Now you can specify the JVM arguments to have it use the new SSL certificate authority file:
-Djavax.net.ssl.trustStore=/path/to/trustStore.jks
If you specified a password other than changeit you will also need to pass the password into the JVM arguments:
-Djavax.net.ssl.trustStorePassword=yourPassword