Some Java items require the user to indicate via a dialog that the publisher is trusted. This can be a one time operation if the user selects the Always Trust check box.
If this is done, a certificate is added to a Java keystore in the users profile %USERPROFILE%\Appdata\LocalLow\Sun\Java\Security\trusted.certs This file is a keystore which has the certificate added to it. If the process occurs interactively the keystore is created if it does not exist, or has the certificate added to it. The interactive process does not seem to apply a password to the keystore that gets created.
The keytool looks as though it can be used to manage the keystore but it needs passwords which seems to make the the situation above unmanagable in a conventional packaging scenario. With App-V it could be possible to have the trusted.certs file created and override any existing one in the users profile within the App-V bubble.
http://docs.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html
http://superuser.com/questions/281682/import-java-trusted-certificate-to-jre
