diff -Nru ca-certificates-java-20180413ubuntu1/debian/changelog ca-certificates-java-20180413ubuntu2~01/debian/changelog
--- ca-certificates-java-20180413ubuntu1/debian/changelog	2018-05-03 22:31:24.000000000 -0300
+++ ca-certificates-java-20180413ubuntu2~01/debian/changelog	2018-05-14 23:16:43.000000000 -0300
@@ -1,3 +1,13 @@
+ca-certificates-java (20180413ubuntu2) cosmic; urgency=medium
+ 
+  * debian/jks-keystore.hook.in, debian/postinst.in: Only export JAVA_HOME
+    and update PATH if a known jvm was found.
+  * debian/postinst.in: Detect PKCS12 cacert keystore generated by
+    previous ca-certificates-java and convert them to JKS. (Closes: #898678)
+    (LP: #1771363)
+
+ -- Tiago Stürmer Daitx <tiago.daitx@ubuntu.com>  Tue, 15 May 2018 02:16:43 +0000
+ 
 ca-certificates-java (20180413ubuntu1) cosmic; urgency=medium
 
   * Merge from debian unstable. Remaining changes: (LP: #1769013,
diff -Nru ca-certificates-java-20180413ubuntu1/debian/jks-keystore.hook.in ca-certificates-java-20180413ubuntu2~01/debian/jks-keystore.hook.in
--- ca-certificates-java-20180413ubuntu1/debian/jks-keystore.hook.in	2018-05-03 22:31:24.000000000 -0300
+++ ca-certificates-java-20180413ubuntu2~01/debian/jks-keystore.hook.in	2018-05-14 23:16:43.000000000 -0300
@@ -45,12 +45,12 @@
            oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
            java-11-openjdk-$arch java-11-openjdk \
            oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do
-if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+    if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+        export JAVA_HOME=/usr/lib/jvm/$jvm
+        PATH=$JAVA_HOME/bin:$PATH
     	break
-fi
+    fi
 done
-export JAVA_HOME=/usr/lib/jvm/$jvm
-PATH=$JAVA_HOME/bin:$PATH
 
 if dpkg-query --version >/dev/null; then
     nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n 's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
diff -Nru ca-certificates-java-20180413ubuntu1/debian/postinst.in ca-certificates-java-20180413ubuntu2~01/debian/postinst.in
--- ca-certificates-java-20180413ubuntu1/debian/postinst.in	2018-04-13 09:03:15.000000000 -0300
+++ ca-certificates-java-20180413ubuntu2~01/debian/postinst.in	2018-05-14 23:16:43.000000000 -0300
@@ -35,12 +35,50 @@
                oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
                java-11-openjdk-$arch java-11-openjdk \
                oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch; do
-    if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
-        break
+        if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
+            export JAVA_HOME=/usr/lib/jvm/$jvm
+            PATH=$JAVA_HOME/bin:$PATH
+            break
         fi
     done
-    export JAVA_HOME=/usr/lib/jvm/$jvm
-    PATH=$JAVA_HOME/bin:$PATH
+}
+
+check_proc()
+{
+    if ! mountpoint -q /proc; then
+        echo >&2 "the keytool command requires a mounted proc fs (/proc)."
+        exit 1
+    fi
+}
+
+convert_pkcs12_keystore_to_jks()
+{
+    if ! keytool -importkeystore \
+                 -srckeystore /etc/ssl/certs/java/cacerts \
+                 -destkeystore /etc/ssl/certs/java/cacerts.dpkg-new \
+                 -srcstoretype PKCS12 \
+                 -deststoretype JKS \
+                 -srcstorepass "$storepass" \
+                 -deststorepass "$storepass" \
+                 -noprompt; then
+        echo "failed to convert PKCS12 keystore to JKS" >&2
+        exit 1
+    fi
+
+    # only update if /etc/default/cacerts allows
+    if [ "$cacerts_updates" = "yes" ]; then
+        mv -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
+        mv -f /etc/ssl/certs/java/cacerts.dpkg-new /etc/ssl/certs/java/cacerts
+    fi
+}
+
+do_cleanup()
+{
+    [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
+    if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
+    then
+        rm -f $nssjdk/libnss3.so
+    fi
 }
 
 first_install()
@@ -74,15 +112,6 @@
     echo "done."
 }
 
-do_cleanup()
-{
-    [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
-    if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
-    then
-        rm -f $nssjdk/libnss3.so
-    fi
-}
-
 case "$1" in
     configure)
         if dpkg --compare-versions "$2" lt "20110912ubuntu6"; then
@@ -91,14 +120,18 @@
                 cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
             fi
         fi
-        if [ -z "$2" -o -n "$FIXOLD" ]; then
-            setup_path
 
-            if ! mountpoint -q /proc; then
-                echo >&2 "the keytool command requires a mounted proc fs (/proc)."
-                exit 1
-            fi
+        setup_path
 
+        if dpkg --compare-versions "$2" lt "20180413ubuntu2"; then
+            if [ -e /etc/ssl/certs/java/cacerts \
+                 -a "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en '\xfe\xed\xfe\xed')" ]; then
+                check_proc
+                convert_pkcs12_keystore_to_jks
+            fi
+        fi
+        if [ -z "$2" -o -n "$FIXOLD" ]; then
+            check_proc
             trap do_cleanup EXIT
             first_install
         fi