Our libraries jPDFSecure, jPDFImages, jPDFProcess, jPDFViewer, jPDFNotes, jPDFEditor and jPDFWeb will trust Java Trusted Certificate Authorities by default when verifying digital signatures contained in PDF document.

Through the SignatureSettings class located in qoppa.com.pdf package and its static methods, it is possible to customize the trusted authorities by:

  •  Adding your own certificates
  •  Removing Java certificates
  •  Adding Windows store certificates

List of Java Trusted Certificate Authorities

How can I get a list of trusted root certificates (also called authorities or identities) trusted by the JVM?

Trusted authorities in Java are contained in the keystore called cacerts located under the java home/lib/security directory.

Here is a sample code to retrieve the list of trusted CAs.

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Iterator;
public class Main {public static void main(String[] args)
// load the cacerts keystore file
String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
FileInputStream is = new FileInputStream(filename);
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
String password = "changeit";
keystore.load(is, password.toCharArray());
//retrieves the most-trusted CAs from the trusted certificate entries
PKIXParameters params = new PKIXParameters(keystore);
// get the set of trust anchors
Iterator it = params.getTrustAnchors().iterator();
while( it.hasNext() ) {
TrustAnchor ta = (TrustAnchor)it.next();
// get certificate
X509Certificate cert = ta.getTrustedCert();
System.out.println(<span style="font-size: small;">cert.getIssuerDN()</span>);
catch (CertificateException e) {}
catch (KeyStoreException e) {}
catch (NoSuchAlgorithmException e) {}
catch (InvalidAlgorithmParameterException e) {}
catch (IOException e) {}