Why this is not a NixOS default?
There’s simply not enough people that care about this. I had to do most of the work myself to get security.pki working for the majority of web browsers.
Anyway, I wasn’t aware of JAVAX_NET_SSL_TRUSTSTORE. An environment isn’t ideal in this case because you usually want that as a last resort to override a default.
Nonetheless, It means openjdk can be patched to look for our trust store by default.
It shouldn’t be too hard to do, but I don’t have much time to look into this now.