Determining the CA Roots Included as Part of Mule Runtime

For the base CA certificates that Mule uses in it's standard SSL checks, we rely on ‌the CA root and intermediate certificates that are included in Java. These are located in the certificates file named "cacerts" that resides in the security directory under the JAVA_HOME - java.home\lib\security. This includes all the certificates that meet the requirements by Oracle to be recognized as a valid CA or intermediate certificate.

This cacerts file represents a system-wide keystore and it includes commonly used certificate vendors root CA certificates. However, if you are using a certificate that has been issued by a vendor not in this list, it is likely that you will see the following error 
 

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ...

The only way to determine if the vendor is included in this file is to inspect the file. 

keytool -list -v -keystore /path/to/cacerts

There is no published list of the certificates included in the JDK releases and the certificates included vary from JDK release to JDK release, based upon Oracle's criteria.