--- a/make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java	Fri Jun 14 12:19:14 2019 -0700
+++ b/make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java	Sat Jun 15 14:39:04 2019 +0800
@@ -25,12 +25,23 @@
 
 package build.tools.generatecacerts;
 
+import java.io.DataOutputStream;
 import java.io.FileOutputStream;
+import java.io.IOException;
 import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.UnsupportedEncodingException;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.security.KeyStore;
+import java.security.DigestOutputStream;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
 
 /**
  * Generate cacerts
@@ -39,23 +50,99 @@
  */
 public class GenerateCacerts {
     public static void main(String[] args) throws Exception {
-        KeyStore ks = KeyStore.getInstance("JKS");
-        ks.load(null, null);
-        CertificateFactory cf = CertificateFactory.getInstance("X509");
-        Files.list(Path.of(args[0]))
-                .filter(p -> !p.getFileName().toString().equals("README"))
-                .forEach(p -> {
-                    try {
-                        String alias = p.getFileName().toString() + " [jdk]";
-                        try (InputStream fis = Files.newInputStream(p)) {
-                            ks.setCertificateEntry(alias, cf.generateCertificate(fis));
-                        }
-                    } catch (Exception e) {
-                        throw new RuntimeException(e);
-                    }
-                });
         try (FileOutputStream fos = new FileOutputStream(args[1])) {
-            ks.store(fos, "changeit".toCharArray());
+            store(args[0], fos, "changeit".toCharArray());
         }
     }
+
+    // The following code are copied from JavaKeyStore.java.
+
+    private static final int MAGIC = 0xfeedfeed;
+    private static final int VERSION_2 = 0x02;
+
+    // This method is a simplified version of JavaKeyStore::engineStore.
+    // A new "dir" argument is added. All cert names in "dir" is collected into
+    // a sorted array. Each cert is stored with a creation date set to its
+    // notBefore value. Thus the output is determined as long as the certs
+    // are the same.
+    public static void store(String dir, OutputStream stream, char[] password)
+            throws IOException, NoSuchAlgorithmException, CertificateException
+    {
+        byte[] encoded; // the certificate encoding
+        CertificateFactory cf = CertificateFactory.getInstance("X509");
+
+        MessageDigest md = getPreKeyedHash(password);
+        DataOutputStream dos
+                = new DataOutputStream(new DigestOutputStream(stream, md));
+
+        dos.writeInt(MAGIC);
+        // always write the latest version
+        dos.writeInt(VERSION_2);
+
+        // All file names in dir sorted.
+        // README is excluded. Name starting with "." excluded.
+        List<String> entries = Files.list(Path.of(dir))
+                .map(p -> p.getFileName().toString())
+                .filter(s -> !s.equals("README") && !s.startsWith("."))
+                .collect(Collectors.toList());
+
+        entries.sort(String::compareTo);
+
+        dos.writeInt(entries.size());
+
+        for (String entry : entries) {
+
+            String alias = entry + " [jdk]";
+            X509Certificate cert;
+            try (InputStream fis = Files.newInputStream(Path.of(dir, entry))) {
+                cert = (X509Certificate) cf.generateCertificate(fis);
+            }
+
+            dos.writeInt(2);
+
+            // Write the alias
+            dos.writeUTF(alias);
+
+            // Write the (entry creation) date, which is notBefore of the cert
+            dos.writeLong(cert.getNotBefore().getTime());
+
+            // Write the trusted certificate
+            encoded = cert.getEncoded();
+            dos.writeUTF(cert.getType());
+            dos.writeInt(encoded.length);
+            dos.write(encoded);
+        }
+
+        /*
+         * Write the keyed hash which is used to detect tampering with
+         * the keystore (such as deleting or modifying key or
+         * certificate entries).
+         */
+        byte[] digest = md.digest();
+
+        dos.write(digest);
+        dos.flush();
+    }
+
+    private static MessageDigest getPreKeyedHash(char[] password)
+            throws NoSuchAlgorithmException, UnsupportedEncodingException
+    {
+
+        MessageDigest md = MessageDigest.getInstance("SHA");
+        byte[] passwdBytes = convertToBytes(password);
+        md.update(passwdBytes);
+        Arrays.fill(passwdBytes, (byte) 0x00);
+        md.update("Mighty Aphrodite".getBytes("UTF8"));
+        return md;
+    }
+
+    private static byte[] convertToBytes(char[] password) {
+        int i, j;
+        byte[] passwdBytes = new byte[password.length * 2];
+        for (i=0, j=0; i<password.length; i++) {
+            passwdBytes[j++] = (byte)(password[i] >> 8);
+            passwdBytes[j++] = (byte)password[i];
+        }
+        return passwdBytes;
+    }
 }