Tianon pointed to p11-kit's "trust extract --format=java-cacerts ..." works pretty well in my experience (that's how Alpine Linux solves this particular problem: https://gitlab.alpinelinux.org/alpine/aports/-/blob/bd4e89c6a26bf7c247c3335b8a7aef053815dfc7/community/java-cacerts/APKBUILD#L18-19) (and how I've done so on systems where I didn't want to install ca-certificates-java for one reason or another)
Using p11-kit to avoid the circular dependency sounds nice. Bastian's suggestion is not ideal, but works for me as well.
