How a Java application validates the certificate received from a server? Is the server's certificate automatically trusted?

No. Server's certificate will not be automatically trusted by any Java application. When a Java application receives a certificate from a server, it will try to validate the certificate again trusted certificates following these rules:

1. If JVM system properties: javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword are defined, Java application will search for trusted certificates in the keystore file specified injavax.net.ssl.trustStore.

2. If javax.net.ssl.trustStore is not defined, Java application will search for trusted certificates in the default keystore file located at $JAVA_HOME/lib/security/jssecacerts.

3. If $JAVA_HOME/lib/security/jssecacerts does not exist, Java application will search for trusted certificates in the default keystore file located at $JAVA_HOME/lib/security/cacerts.

4. If a trusted certificate is found and it matches the root certificate in the certificate chain of the server certificate, the server certificate will be considered as trusted and the communication with server will continue.

5. If no trusted certificate is found to match the root certificate in the certificate chain of the server certificate, the server certificate will be considered as not trusted and the communication with server will stop. A Java exception error will be returned.

⇒ What Is JKS (Java KeyStore) File

⇐ Using Certificates with Java VM

⇑ Using Certificates with Java VM

⇑⇑ Certificates on Java VM