Based on the previous answers, I’ve added the following snippet to my /etc/nixos/configuration.nix:
environment.variables.JAVAX_NET_SSL_TRUSTSTORE =
let
caBundle = config.environment.etc."ssl/certs/ca-bundle.crt".source;
p11kit = pkgs.p11-kit.overrideAttrs (oldAttrs: {
configureFlags = [
"--with-trust-paths=${caBundle}"
];
});
in derivation {
name = "java-cacerts";
builder = pkgs.writeShellScript "java-cacerts-builder" ''
${p11kit.bin}/bin/trust \
extract \
--format=java-cacerts \
--purpose=server-auth \
$out
'';
system = builtins.currentSystem;
};