Comment 2 for bug 920758

Testing has revealed a whole slew of issues with the way the debian packaging attemps to update the java cert store:

bug #1: natty and earlier's ca-certificates-java hook doesn't strip the right filename extension,
        so the DigiNotar cert doesn't get removed from the java store when ca-certificates is
        upgraded.

bug #2: oneiric and later's hook java script uses full filename as the alias without stripping
        the file extension as used in natty and earlier. In theory, this shouldn't be an issue, as
        the postinst script is supposed to re-import all the certificates. Unfortunately, since
        natty and earlier had certs that aren't included in later releases, such as the DigiNotar
        cert, they will never get removed properly.

bug #3: installing ca-certificates-java after an updated ca-certificates uses the bundled cert
        store, which doesn't have the dangerous cert removed. If the ca-certificates package
        was upgraded, cert is added to untrusted list, so ca-certificates-java correctly removes
        it from its bundled store. But, if the ca-certificates package was installed after the cert
        was removed from the package, it does not get added to the untrusted list, so installing
        ca-certificates-java will not remove it from its bundled store.

bug #4: Updating from Natty to Oneiric results in the java store not being upgraded to the new
        alias names because of a java issue: "Could not initialize NSS".