118

I am looking on how how to obtain the location of cacerts of the default java installation, when you do not have JAVA_HOME or JRE_HOME defined.

I need a solution that works at least for OS X and Linux.

Yes. java -v is assumed to work :)

sorin
  • 149,293
  • 163
  • 498
  • 754

8 Answers8

202

Under Linux, to find the location of $JAVA_HOME:

readlink -f /usr/bin/java | sed "s:bin/java::"

the cacerts are under lib/security/cacerts:

$(readlink -f /usr/bin/java | sed "s:bin/java::")lib/security/cacerts

Under mac OS X , to find $JAVA_HOME run:

/usr/libexec/java_home

the cacerts are under Home/lib/security/cacerts:

$(/usr/libexec/java_home)/lib/security/cacerts

UPDATE (OS X with JDK)

above code was tested on computer without JDK installed. With JDK installed, as pR0Ps said, it's at

$(/usr/libexec/java_home)/jre/lib/security/cacerts
HoldOffHunger
  • 15,349
  • 8
  • 79
  • 115
Kuf
  • 16,574
  • 5
  • 63
  • 89
  • 8
    In OS X, the "official" way to find JAVA_HOME is running `/usr/libexec/java_home` – Daniel Serodio May 28 '13 at 16:43
  • 2
    @DanielSerodio, agreed. `/usr/libexec/java_home` gives me a different answer from the `readlink`-based command above, and the former seems to be correct, in that it contains the `cacerts` file. – Andrew Ferrier Mar 10 '14 at 15:32
  • 1
    @DanielSerodio and AndrewFerrier thanks guys, answer updated. – Kuf Mar 10 '14 at 15:51
  • @Kuf My JDK does not have this lib/security folder on Mac Yosemite. I am positive that i am in the right $JAVA_HOME – Brian Feb 03 '16 at 17:54
  • @BrianVanover answer updated. If it doesn't work for you please specify '/usr/libexec/java_home' output and JDK version – Kuf Feb 04 '16 at 21:47
  • 1
    On OSX 10.10.5 the security folder is under: Home/jre/lib/security – Sid Sarasvati Mar 23 '16 at 15:24
  • Your command on my Linux system says No such file or directory as there is no /usr/java/jdk1.8.0_162/lib/security/cacerts. Is the rule different for jre an jdk? – Lee Meador Oct 21 '19 at 16:25
  • I ran this just now on Mojave with Zulu installed via brew (basically the .dmg installer) and it didn't work. I had to remove `jre/` from the path: `$(/usr/libexec/java_home)/lib/security/cacerts` – atwright147 May 07 '20 at 14:12
  • how come the "/usr/libexec/java_home" is different than "echo $JAVA_HOME" ? shouldn't they be the same path? – ennth May 11 '21 at 17:34
  • On MacOS Big Sur this was at `$(/usr/libexec/java_home)/Contents/Home/jre/lib/security/cacerts` – raghav710 Nov 26 '21 at 06:28
52

As of OS X 10.10.1 (Yosemite), the location of the cacerts file has been changed to

$(/usr/libexec/java_home)/jre/lib/security/cacerts
pR0Ps
  • 2,570
  • 2
  • 21
  • 24
12

If you need to access those certs programmatically it is best to not use the file at all, but access it via the trust manager. The following code is from a OpenJDK Test case (which makes sure the built cacerts collection is not empty):

TrustManagerFactory trustManagerFactory =
    TrustManagerFactory.getInstance("PKIX");
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers =
    trustManagerFactory.getTrustManagers();
X509TrustManager trustManager =
    (X509TrustManager) trustManagers[0];
X509Certificate[] acceptedIssuers =
    trustManager.getAcceptedIssuers();

So you don’t have to deal with file location or keystore password.

eckes
  • 9,711
  • 1
  • 55
  • 69
  • 1
    This is not reading the certificate installed in cacerts. i am able to if using file path and password – Somnath Singh Sep 21 '20 at 14:45
  • Yup @SomnathSingh is correct, this is definitely not reading the root cacerts. I have no idea what this is actually reading though. – Hunter Jackson Jan 29 '21 at 17:51
  • It reads the cacerts file in the same way the JDK implementation is using the default implementation. – eckes Jan 29 '21 at 19:58
11

In MacOS Mojave, the location is:

/Library/Java/JavaVirtualMachines/jdk1.8.0_192.jdk/Contents/Home/jre/lib/security/cacerts

If using sdkman to manage java versions, the cacerts is in

~/.sdkman/candidates/java/current/jre/lib/security
snugghash
  • 390
  • 2
  • 11
Nish
  • 539
  • 5
  • 7
  • 2
    NOTE: For current versions of sdkman w/ JDK 11, the location is `~/.sdkman/candidates/java/current/lib/security` – Snekse Jan 30 '20 at 20:08
4

In High Sierra, the cacerts is located at : /Library/Java/JavaVirtualMachines/jdk1.8.0_25.jdk/Contents/Home/jre/lib/security/cacerts

Azzabi Haythem
  • 2,141
  • 7
  • 25
  • 30
arpurush
  • 49
  • 3
4

For Java 9 onwards, it's in

${JAVA_HOME}/lib/security/cacerts

as opposed to the usual

${JAVA_HOME}/jre/lib/security/cacerts

jumping_monkey
  • 3,799
  • 2
  • 28
  • 42
1

You can also consult readlink -f "which java". However it might not work for all binary wrappers. It is most likely better to actually start a Java class.

eckes
  • 9,711
  • 1
  • 55
  • 69
1

In Ubuntu 20.04.3 LTS, the cacerts is located at: /etc/ssl/certs/java/cacerts

$ java --version
openjdk 11.0.11 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.20.04, mixed mode, sharing)

$ ls -lah /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts*
/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -> /etc/ssl/certs/java/cacerts
Felipe Windmoller
  • 1,167
  • 1
  • 9
  • 14