Flags and properties
These options affect TLS identity, trust decisions, protocol selection, cryptographic policy, and module encapsulation. Treat them as deployment security controls, not generic tuning flags.
Option details
- -Djavax.net.ssl.trustStore=/etc/ssl/app/truststore.p12
- Points JSSE-based clients and servers to trusted certificate authorities or pinned partner certificates.
- -Djavax.net.ssl.trustStoreType=PKCS12
- Declares the truststore format. PKCS#12 is the usual modern choice.
- -Djavax.net.ssl.keyStore=/etc/ssl/app/keystore.p12
- Points the JVM to the private-key material and certificate chain used for client authentication or server identity.
- -Djavax.net.ssl.keyStoreType=PKCS12
- Declares the keystore format.
- -Djdk.tls.client.protocols=TLSv1.3,TLSv1.2
- Limits TLS client protocol negotiation to modern versions when older protocols must be excluded explicitly.
- -Djdk.tls.disabledAlgorithms=...
- Overrides the disabled algorithm policy. Prefer editing a controlled
java.securityoverlay instead of putting a long policy directly on the command line. - --add-opens / --add-exports
- Weakens Java module encapsulation for compatibility. Keep these options narrow, temporary, and tied to a tracked dependency upgrade.
When to use it
Use this recipe when a JVM process must trust a private CA, present a client certificate, disable weak TLS behavior, or document module-access exceptions needed by legacy libraries.
Java version support
JSSE truststore and keystore system properties are longstanding Java options. TLS 1.3 is
available from Java 11. Module access options such as --add-opens and
--add-exports are available from Java 9.
Related JEPs
Examples
Trust a private certificate authority
java -Djavax.net.ssl.trustStore=/etc/ssl/app/truststore.p12 \
-Djavax.net.ssl.trustStoreType=PKCS12 \
-Djdk.tls.client.protocols=TLSv1.3,TLSv1.2 \
-jar app.jar
Mount the truststore as a file and keep the password outside the process argument list.
Use a client certificate for mTLS
java -Djavax.net.ssl.keyStore=/etc/ssl/app/client-keystore.p12 \
-Djavax.net.ssl.keyStoreType=PKCS12 \
-Djavax.net.ssl.trustStore=/etc/ssl/app/truststore.p12 \
-Djavax.net.ssl.trustStoreType=PKCS12 \
-jar app.jar
Use secret-mounted files for the keystore, truststore, and passwords.
Load a controlled security-policy overlay
java -Djava.security.properties=/etc/java/app-security.properties \
-jar app.jar
Use this for disabled algorithm policy instead of hard-coding a long policy in startup flags.
Document a narrow module exception
java --add-opens java.base/java.lang=ALL-UNNAMED \
-jar legacy-app.jar
Keep module exceptions rare and remove them after the dependency is upgraded.
Verify
- Confirm TLS protocol and cipher negotiation with application logs, JFR, or endpoint testing.
- Check certificate expiry and trust-chain rotation before deployment.
- Inspect process arguments to ensure secrets are not visible.
- Track every
--add-opensor--add-exportsoption to a dependency issue.