Add own CA's to Java cert-store

[stoecker]

The fact that Oracle does not follow the CA handling of the web browsers and causes problems with renewal of the web-pages we access (josm.openstreetmap.org, svn.openstreetmap.org, wiki.openstretmap.org, trac.openstreetmap.org, taginfo.openstreetmap.org, (gps-)(a|b|c).tile.openstreetmap.org, www.openstreetmap.org, nominatim.openstreetmap.org, api.openstreetmap.org).

The test with StartSSL/Wosign showed that this is mainly a Windows issue, as (all?) the Linux versions use the systemwide certificate store.

A solution for the future would be if we would add CA's ourself, which are commonly accepted (except by Oracle) and used by the sites we access. That could include StartSSL (+Wosign) and IdenTrust (+Let's Encrypt).

The idea would be to test whether certain CA's are acceptable (either the list is readable or we can setup test pages for these) and if not ask the user if the CA's should be installed. The result should be remembered, so this is only asked and done once.

This methods should be limited to certs which are accepted by the big three browsers (Firefox, Chrome and IE).

See

• ​https://github.com/openstreetmap/operations/issues/2
• ​https://github.com/openstreetmap/operations/issues/55
• #12192
• ​https://lists.openstreetmap.org/pipermail/josm-dev/2015-December/007560.html
• ​https://lists.openstreetmap.org/pipermail/josm-dev/2015-December/007564.html (thread)