Comment 6 for bug 1739631

To comment #5: If what you describe is true, then that is a different bug, somehow. The default cacerts file should be in pkcs12 format, which can't be used by java for some reason. The JKS keystore file can be read, regardless of the keystore type setting in the security file.

However, I am happy about the suggestion to change the keystore.type=jks parameter in the java.security file. Once this change has been made, openjdk-9 can also generate JKS keystores from "udpate-ca-certificates -f" and that is altogether simpler way to recover from this bug than installing JDK 8, let it generate keystore, and then update to JDK 9 that preserves the cacerts in JKS format regardless of the settings of JDK 9.

So here are the workaround steps that can be done instead, to fix TLS for Java 9 when the keystore type happens to be PKCS12.

1. edit /etc/java-9-openjdk/security/java.security file. Find the line that says keystore.type = pkcs12 and change that to jks

2. rm /etc/ssl/certs/java/cacerts file

3. run "update-ca-certificates -f"