Root Certificate Authority
Codehaus uses a certificate provided by StartSSL which uses a CA that isn't included in the default JDK trusted CA list.
Installing the StartSSL CA into the Java JDK
Install the certificate into the JDK Trusted CA Certs (The default password is "changeit" or "changeme" (depending on the JDK installed))
Installing the StartSSL CA into the Java JDK as non-root
If do not have permission to modify your JDK installation you can add the certificate to your own keystore. The keytool that comes with the JDK uses ~/.keystore by default. When running a JVM you need to tell the JVM about the keystore. It appears as if it will use this keystore in addition to the one in the JDK so there is no need to add all the certificates from the JVM to the user copy.
NOTE: If you want to debug the security related stuff add the -Djava.security.debug=all option
Since we have "a few" JDKs at Codehaus on various servers, we've written a bulk updater - deploy-ca - which will scan your various Java install areas and try and deploy the CA into those cacert files. You will need to download startssl-CA.pem and startssl-Intermediate.pem into the same directory.
It seems to work, but please exercise due caution.
You may need to change the get_pass routine to return "changeme" rather than "changeit" as some systems seem to have a different perspective on the default store password.
This has not been tested on Windows, but has been successfully used on Linux (RHEL5) and OSX 10.6