cacerts : Java Glossary



A file used to keep the root certificates of signing authorities.

The default password for the .cacerts file is changeit (changeme on the Mac)

In the JRE (Java Runtime Environment) look for it in:

cacerts list of trusted certificate authorities :

Since cacerts is a binary file, you must view it with keytool.exe using code like this.

Just to confuse you, there are even other copies of it in C:\Program Files\Java Web Start\cacerts. On my machine I found 10 copies! Lots of luck guessing which one it is using at any given time.

Since you implicitly trust all the CAs (Certificate Authorities) in the cacerts. file for code signing and verification you must manage the cacerts. file carefully. The cacerts. file should contain only certificates of the CAs you trust.

cacerts. is stored in JKS (Java Key Store) format similar to PKCS (Public-Key Cryptography Standards) #12 containing only public keys, protected by a passphrase, but no private keys. It may also contain SSL (Secure Sockets Layer) keys.

The first four signature bytes of a Sun cacerts. file in hex are FEEDFEED.

You can find the cacerts file with a system property, that will be visible in a browser: = C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs

Why the Password?

cacerts. has a password. It contains nothing secret. If an third party wanted to insert bogus signing authorities, they would just replace the entire file. The password just blocks programs with API (Application Programming Interface) access to cacerts, but not to the file itself.

Assembla: accessing the Windows certificate repository from Java
keyman: a more user-friendly cacerts manipulator
KeyTool IUI: third party GUI version of keytool

This page is posted
on the web at:

Optional Replicator mirror
on local hard disk J:

Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number