How to keep the truststore of a java application up-to-date?

Question

I am currently working towards enforcing SSL trust for all outward HTTPS communication in my java application, including disallowing self-signed certificates in the hardened mode.

However, I am wondering how and if the SSL Trust is always trustable. Can you help me understand the below details about truststores in Java? The SSL trust solely depends on the contents of our trust store (Trust anchors which we base the trust on)

1. Is the default java certificate store, kept updated automatically i.e if a new CA comes up (Unless a Java upgrade package is installed)?
2. Does trusted root CA information in trust stores need a constant update to maintain SSL security?

Answer 1

1. The Java trust store is only updated when you update the JRE. If you want do add new CA certificates you need to do this in your own. In my experience this is not necessary for public CAs if you keep your JRE up to date.
2. No, you do not need to update the information. In the worst case you have a too old certificates in the trust store and you cannot connect to a server and that is not a security issue.