From Java™ Secure Socket Extension (JSSE) Reference Guide, TrustManagerFactory uses the following steps to try to find trust material:
- system property
javax.net.ssl.trustStore java-home/lib/security/jssecacertsjava-home/lib/security/cacerts(shipped by default)
I think this is based on convention over configuration concept. Without extra coding effort, cacert will be used. For extra private CA/Signing certs, a developer either can use first or second way, where former may just contain a particular cert but later contains a list of certs.