Java and Nix(OS) - how to openjdk trust?

[con-f-use]

I'm having a hard time adding extra certificates to the java cert store. I'm not sure where openjdk (nix expression) get's its trust from, except that there is an environment variable patch for JAVAX_NET_SSL_TRUSTSTORE.

The usual NixOS option security.pki.certificateFiles doesn't seem to effect openjdk and I'd like to avoid overriding pkgs.cacert as that would probably rebuild half the world.

In the non-nix realm, one would do something like keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias <SOMENAME> -file <SOME_CERT_FILE>, which comes with Java, but that gives a keytool error: java.io.FileNotFoundException: cacerts (Read-only file system) because it's probably in the read-only nix store.

So my questions are:

• Where is the openjdk trust store located in nix?
• How can I add trust?
• What would be useful to know about Java and Nix(OS)?

[con-f-use]

I think https://discourse.nixos.org/t/custom-ssl-certificates-for-jdk/18297/11 has the answer, maybe. Maybe the topic should be "Trust in general under NixOS, knowledgedump of Silvan and others".

Another fun fact: I didn't know internal NixOS options like security.pki.installCACerts existed.