The `cacerts` keystore file is now a password-less PKCS #12 file. All certificates inside are not encrypted and there is no MacData for password integrity. Since the PKCS12 and JKS keystore types are interoperable, existing code that uses a JKS `KeyStore` to load the `cacerts` file with any password (including null) continue to behave as expected and can view or extract the certificates contained within the keystore.