Ticket to start discussion for a more permanent fix for SSL ca certificate management.
Ideally users should be able to supply a system keystore for Lucee to use as an authority, but also allow the Lucee cacerts file to be used for supplemental certificates. In the past I've used a X509TrustManager modified to allow for parent/child relationships like a ClassLoader would. I can contribute this code and refactor so we're not using a single keystore - we're using an in-memory system keystore trust manager, with a Lucee specific trust manager layered over top. Perhaps changing the system trust manager in the process for lucee contexts.
Or, perhaps Lucee maintains a separate cacerts.supp keystore managed via the administrator, and creates a merged cacerts file from the system keystore merged with cacerts.supp.
At this point I'd welcome more information about why cacerts is being distributed with Lucee, functionality it provides and other things to discuss to make this more streamlined.