--- icedtea6-1.10.4/Makefile.am
+++ icedtea6-1.10.4.mod/Makefile.am
@@ -1376,6 +1376,19 @@
 if ENABLE_JAMVM
 	printf -- '-jamvm ALIASED_TO -server\n' >> $(BUILD_JRE_ARCH_DIR)/jvm.cfg
 endif
+if GENERATE_CACERTS
+	if test -n "${CADIR}"; then \
+	  sh scripts/mkcacerts.sh -d "${CADIR}" \
+	    -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
+	    -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
+	else \
+	  sh scripts/mkcacerts.sh -f "${CAFILE}" \
+	    -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
+	    -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
+	fi; \
+	cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \
+	   $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts;
+endif
 	@echo "IcedTea is served:" $(BUILD_OUTPUT_DIR)
 	mkdir -p stamps
 	touch stamps/icedtea.stamp
@@ -1407,6 +1420,19 @@
 if ENABLE_JAMVM
 	printf -- '-jamvm ALIASED_TO -server\n' >> $(BUILD_DEBUG_JRE_ARCH_DIR)/jvm.cfg
 endif
+if GENERATE_CACERTS
+	if test -n "${CADIR}"; then \
+	  sh scripts/mkcacerts.sh -d "${CADIR}" \
+	    -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
+	    -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
+	else \
+	  sh scripts/mkcacerts.sh -f "${CAFILE}" \
+	    -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
+	    -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts; \
+	fi; \
+	cp -f $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts \
+	   $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security/cacerts;
+endif
 	@echo "IcedTea (debug build) is served:" \
 	  $(DEBUG_BUILD_OUTPUT_DIR)
 	mkdir -p stamps
@@ -1457,7 +1483,7 @@
 	    $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \
 	fi
 	cp $(abs_top_builddir)/tapset/jstack.stp \
-	  $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp
+	  $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp;
 endif
 	touch stamps/add-systemtap.stamp
 
@@ -1483,7 +1509,7 @@
 	    $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot_jni.stp; \
 	fi
 	cp $(abs_top_builddir)/tapset/jstack.stp \
-	  $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp
+	  $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp;
 endif
 	touch stamps/add-systemtap-debug.stamp
 
--- icedtea6-1.10.4/Makefile.in
+++ icedtea6-1.10.4.mod/Makefile.in
@@ -175,6 +175,8 @@
 BUILD_ARCH_DIR = @BUILD_ARCH_DIR@
 BUILD_OS_DIR = @BUILD_OS_DIR@
 CACAO_IMPORT_PATH = @CACAO_IMPORT_PATH@
+CADIR = @CADIR@
+CAFILE = @CAFILE@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
--- icedtea6-1.10.4/acinclude.m4
+++ icedtea6-1.10.4.mod/acinclude.m4
@@ -1677,3 +1677,94 @@
 AM_CONDITIONAL([CP40188_JAVAH], test x"${it_cv_cp40188_javah}" = "xyes")
 AC_PROVIDE([$0])dnl
 ])
+
+--- acinclude.m4	2011-01-22 21:34:29.000000000 -0600
++++ acinclude.m4	2011-01-22 21:34:58.000000000 -0600
+@@ -316,6 +316,91 @@
+   AM_CONDITIONAL([SRC_DIR_HARDLINKABLE], test x"${it_cv_hardlink_src}" = "xyes")
+ ])
+ 
+AC_DEFUN([IT_GENERATE_CACERTS],
+[
+  AC_MSG_CHECKING([whether to generate a cacerts file for distribution])
+  AC_ARG_ENABLE([cacerts],
+              [AS_HELP_STRING(--enable-cacerts, generate a cacerts file for distribution [[default=no]])],
+  [
+    case "${enableval}" in
+      no)
+        generate_cacerts=no
+        ;;
+      *)
+        generate_cacerts=yes
+        ;;
+    esac
+  ],
+  [
+    generate_cacerts=no
+  ])
+  AC_MSG_RESULT([$generate_cacerts])
+  AM_CONDITIONAL([GENERATE_CACERTS], test x"${generate_cacerts}" = "xyes")
+])
+
+AC_DEFUN([IT_GET_LOCAL_CACERTS],
+[
+  AC_MSG_CHECKING([for a local x509 certificate directory])
+  AC_ARG_WITH([ca-dir],
+              [AS_HELP_STRING(--with-ca-dir=DIR, specify a top-level local x509 certificate directory)],
+  [
+    if test -d "${withval}"; then
+      CADIR="${withval}"
+    fi
+  ],
+  [
+    CADIR=
+  ])
+  if test -z "${CADIR}"; then
+    for dir in /etc/pki/tls/certs \
+      /usr/share/ca-certificates \
+      /etc/ssl/certs \
+      /etc/certs ; do
+        if test -d "${dir}"; then
+          CADIR="${dir}"
+          break
+        fi
+    done
+    if test -z "${CADIR}"; then
+      CADIR=no
+    fi
+  fi
+  AC_MSG_RESULT(${CADIR})
+  AC_SUBST(CADIR)
+
+  AC_MSG_CHECKING([for a local x509 certificate file])
+  AC_ARG_WITH([ca-file],
+              [AS_HELP_STRING(--with-ca-file=FILE, specify a local x509 certificate file)],
+  [
+    if test -f "${withval}"; then
+      CAFILE="${withval}"
+    fi
+  ],
+  [
+    CAFILE=
+  ])
+  if test -z "${CAFILE}"; then
+    for file in /etc/pki/tls/certs/ca-bundle.crt \
+      /etc/ssl/certs/ca-bundle.crt \
+      /etc/ssl/ca-bundle.crt \
+      /etc/ca-bundle.crt ; do
+        if test -e "${file}"; then
+          CAFILE=$file
+          break
+        fi
+    done
+    if test -z "${CAFILE}"; then
+      CAFILE=no
+    fi
+  fi
+  AC_MSG_RESULT(${CAFILE})
+  AC_SUBST(CAFILE)
+  if test "${CADIR}x" = "nox" -a "${CAFILE}x" = "nox"; then
+    AC_MSG_WARN([Could not find a suitable x509 certificate store.])
+    AC_MSG_ERROR([Supply a valid location using --with-ca-dir or --with-ca-file, or remove the --enable-cacerts switch.])
+  fi
+])
--- icedtea6-1.10.4/configure.ac
+++ icedtea6-1.10.4.mod/configure.ac
@@ -138,6 +138,13 @@
   AC_MSG_RESULT([disabled by default (edit java.security to enable)])
 fi
 
+IT_GENERATE_CACERTS
+
+if test "x${generate_cacerts}" = "xyes"
+then
+  IT_GET_LOCAL_CACERTS
+fi
+
 IT_GET_PKGVERSION
 IT_GET_LSB_DATA
 
--- /dev/null
+++ icedtea6-1.10.4.mod/scripts/mkcacerts.sh
@@ -0,0 +1,154 @@
+#!/bin/sh
+# Simple script to extract x509 certificates and create a JRE cacerts file.
+
+get_args()
+    {
+        if test -z "${1}" ; then
+            showhelp
+            exit 1
+        fi
+
+        while test -n "${1}" ; do
+            case "${1}" in
+                -f | --cafile)
+                    check_arg $1 $2
+                    CAFILE="${2}"
+                    shift 2
+                ;;
+                -d | --cadir)
+                    check_arg $1 $2
+                    CADIR="${2}"
+                    shift 2
+                ;;
+                -o | --outfile)
+                    check_arg $1 $2
+                    OUTFILE="${2}"
+                    shift 2
+                ;;
+                -k | --keytool)
+                    check_arg $1 $2
+                    KEYTOOL="${2}"
+                    shift 2
+                ;;
+                -h | --help)
+                     showhelp
+                     exit 0
+                ;;
+                *)
+                   showhelp
+                   exit 1
+                ;;
+            esac
+        done
+    }
+
+check_arg()
+    {
+        echo "${2}" | grep -v "^-" > /dev/null
+        if [ -z "$?" -o ! -n "$2" ]; then
+            echo "Error:  $1 requires a valid argument."
+            exit 1
+        fi
+    }
+
+
+showhelp()
+    {
+        echo "`basename ${0}` creates a valid cacerts file for use with IcedTea."
+        echo ""
+        echo "        -f  --cafile        The path to a file containing PEM formated CA"
+        echo "                            certificates.  May not be used with -d/--cadir."
+        echo "        -d  --cadir         The path to a diectory of PEM formatted CA"
+        echo "                            certificates.  May not be used with -f/--cafile."
+        echo "        -o  --outfile       The path to the output file."
+        echo ""
+        echo "        -k  --keytool       The path to the java keytool utility."
+        echo ""
+        echo "        -h  --help          Show this help message and exit."
+        echo ""
+        echo ""
+    }
+
+# Initialize empty variables so that the shell does not polute the script
+CAFILE=""
+CADIR=""
+OUTFILE=""
+KEYTOOL=""
+
+# Process command line arguments
+get_args ${@}
+
+# Handle common errors
+if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then
+    echo "ERROR!  You must provide an x509 certificate store!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then
+    echo "ERROR!  You cannot provide two x509 certificate stores!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+if test "${KEYTOOL}x" == "x" ; then
+    echo "ERROR!  You must provide a valid keytool program!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+if test "${OUTFILE}x" == "x" ; then
+    echo "ERROR!  You must provide a valid output file!"
+    echo "\'$(basename ${0}) --help\' for more info."
+    echo ""
+    exit 1
+fi
+
+# Get on with the work
+
+# If using a CAFILE, split it into individual files in a temp directory
+if test "${CAFILE}x" != "x" ; then
+    TEMPDIR=`mktemp -d`
+    CADIR="${TEMPDIR}"
+
+    # Get a list of staring lines for each cert
+    CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1`
+
+    # Get a list of ending lines for each cert
+    ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1`
+
+    # Start a loop
+    for certbegin in `echo "${CERTLIST}"` ; do
+        for certend in `echo "${ENDCERTLIST}"` ; do
+            if test "${certend}" -gt "${certbegin}"; then
+                break
+            fi
+        done
+        sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}"
+        keyhash=`openssl x509 -noout -in "${CADIR}/${certbegin}" -hash`
+        echo "Generated PEM file with hash:  ${keyhash}."
+        mv "${CADIR}/${certbegin}" "${CADIR}/${keyhash}.pem"
+    done
+fi
+
+# Write the output file
+for cert in `find "${CADIR}" -type f -name "*.pem" -o -name "*.crt"`
+do
+    ls "${cert}"
+    tempfile=`mktemp`
+    certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1`
+    certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1`
+    sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}"
+    echo yes | "${KEYTOOL}" -import -alias `basename "${cert}"` -keystore \
+                   "${OUTFILE}" -storepass 'changeit' -file "${tempfile}"
+    rm "${tempfile}"
+done
+
+if test "${TEMPDIR}x" != "x" ; then
+    rm -rf "${TEMPDIR}"
+fi
+exit 0
+