Dear Maintainer, I still run into this problem using debian stretch packages.
ca-certificates 20161130+nmu1 ca-certificates-java 20170531+nmu1For testing I put/removed my own certificates to/from "/usr/local/share/ca-certificates" and run "update-ca-certificates -f".
New certificates are correctly added to cacerts, but removed certificates stay present in the cacerts.
I did a very nasty workaround by adding a rm -f /etc/ssl/certs/java/cacertsinto the ca-certificates-java hook. That way the cacerts is build from scratch every time, that way only existing certificates are used. But IMHO this can't be the solution.
Best regards Daniel
smime.p7s
Description: S/MIME Cryptographic Signature
