Address comments

api/src/main/java/org/apache/cloudstack/ca/CAManager.java

@@ -44,7 +44,7 @@ public interface CAManager extends CAService, Configurable, PluggableService {
             "The CA provider plugin used for CloudStack internal certificate management (MS-agent encryption and authentication). " +
             "The default 'root' provider auto-generates a CA on first startup, but also supports user-provided custom CA material " +
             "via the ca.plugin.root.private.key, ca.plugin.root.public.key, and ca.plugin.root.ca.certificate settings. " +
-            "Restart management server(s) when changed.", true);
+            "Restart management server(s) when changed.", false);
 
     ConfigKey<Integer> CertKeySize = new ConfigKey<>("Advanced", Integer.class,
                                     "ca.framework.cert.keysize",
@@ -94,7 +94,7 @@ public interface CAManager extends CAService, Configurable, PluggableService {
             "ca.framework.inject.default.truststore", "true",
             "When true, injects the CA provider's certificate into the JVM default truststore on management server startup. " +
             "This allows outgoing HTTPS connections from the management server to trust servers with certificates signed by the configured CA. " +
-            "Restart management server(s) when changed.", true);
+            "Restart management server(s) when changed.", false);
 
     /**
      * Returns a list of available CA provider plugins

plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java

@@ -108,20 +108,20 @@ public final class RootCAProvider extends AdapterBase implements CAProvider, Con
             null,
             "The ROOT CA private key in PEM format. " +
             "When set along with the public key and certificate, CloudStack uses this custom CA instead of auto-generating one. " +
-            "All three ca.plugin.root.* keys must be set together. Restart management server(s) when changed.", true);
+            "All three ca.plugin.root.* keys must be set together. Restart management server(s) when changed.", false);
 
     private static ConfigKey<String> rootCAPublicKey = new ConfigKey<>("Hidden", String.class,
             "ca.plugin.root.public.key",
             null,
             "The ROOT CA public key in PEM format (X.509/SPKI: must start with '-----BEGIN PUBLIC KEY-----'). " +
-            "Required when providing a custom CA. Restart management server(s) when changed.", true);
+            "Required when providing a custom CA. Restart management server(s) when changed.", false);
 
     private static ConfigKey<String> rootCACertificate = new ConfigKey<>("Hidden", String.class,
             "ca.plugin.root.ca.certificate",
             null,
             "The CA certificate(s) in PEM format (must start with '-----BEGIN CERTIFICATE-----'). " +
             "For intermediate CAs, concatenate the signing cert first, followed by intermediate(s) and root. " +
-            "Required when providing a custom CA. Restart management server(s) when changed.", true);
+            "Required when providing a custom CA. Restart management server(s) when changed.", false);
 
     private static ConfigKey<String> rootCAIssuerDN = new ConfigKey<>("Advanced", String.class,
             "ca.plugin.root.issuer.dn",

server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java

@@ -41,6 +41,7 @@ import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
@@ -578,10 +579,13 @@ public class CAManagerImpl extends ManagerBase implements CAManager {
             // Copy existing default trusted certs
             final TrustManagerFactory defaultTmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
             defaultTmf.init((KeyStore) null);
-            final X509TrustManager defaultTm = (X509TrustManager) defaultTmf.getTrustManagers()[0];
             int aliasIndex = 0;
-            for (final X509Certificate cert : defaultTm.getAcceptedIssuers()) {
-                trustStore.setCertificateEntry("default-ca-" + aliasIndex++, cert);
+            for (final TrustManager tm : defaultTmf.getTrustManagers()) {
+                if (tm instanceof X509TrustManager) {
+                    for (final X509Certificate cert : ((X509TrustManager) tm).getAcceptedIssuers()) {
+                        trustStore.setCertificateEntry("default-ca-" + aliasIndex++, cert);
+                    }
+                }
             }
 
             // Add CA provider's certificates

utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java

@@ -100,12 +100,13 @@ public class CertUtils {
 
     public static List<X509Certificate> pemToX509Certificates(final String pem) throws CertificateException, IOException {
         final List<X509Certificate> certs = new ArrayList<>();
-        final PEMParser pemParser = new PEMParser(new StringReader(pem));
-        final JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter().setProvider("BC");
-        Object parsedObj;
-        while ((parsedObj = pemParser.readObject()) != null) {
-            if (parsedObj instanceof X509CertificateHolder) {
-                certs.add(certConverter.getCertificate((X509CertificateHolder) parsedObj));
+        try (final PEMParser pemParser = new PEMParser(new StringReader(pem))) {
+            final JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter().setProvider("BC");
+            Object parsedObj;
+            while ((parsedObj = pemParser.readObject()) != null) {
+                if (parsedObj instanceof X509CertificateHolder) {
+                    certs.add(certConverter.getCertificate((X509CertificateHolder) parsedObj));
+                }
             }
         }
         return certs;