- add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format - exclude ECC certs from the Java cacerts database - catch keytool failures - fail parsing certdata.txt on finding untrusted but not blacklisted cert