Simple java cmd line util to check if a keystore contains a given certificate

CheckCertificate.java

import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;

public class CheckCertificate {
    public static void main(String[] args) throws Exception {
        if (args.length < 1 || args.length > 3) {
            System.err.println(
                "Usage: java CheckCertificate certificate [keystore [keystorePass]]");
            System.err.println();
            System.err.println("  certificate: file containing the .crt certificate");
            System.err.println("  [keystore]: optional keystore location, " +
                               "defaults to cacerts of current VM");
            System.err.println("  [keystorePass]: optional keystore password, " +
                               "defaults to 'changeit'");
            System.exit(1);
        }

        Path cacertsPath;
        if (args.length > 1) {
            cacertsPath = Paths.get(args[1]);
        } else {
            cacertsPath = Paths.get(System.getProperty("java.home"),
                                    "lib",
                                    "security",
                                    "cacerts");
        }

        if (!Files.isReadable(cacertsPath)) {
            System.err.println("Can't read keystore: " + cacertsPath);
            System.exit(-1);
        }

        Path certificatePath = Paths.get(args[0]);

        if (!Files.isReadable(certificatePath)) {
            System.err.println("Can't read certificate: " + certificatePath);
            System.exit(-2);
        }

        Certificate certificate = CertificateFactory
            .getInstance("X.509")
            .generateCertificate(Files.newInputStream(certificatePath));

        String keystorePass = args.length == 3 ? args[2] : "changeit";

        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        keystore.load(Files.newInputStream(cacertsPath), keystorePass.toCharArray());
        PKIXParameters params = new PKIXParameters(keystore);
        boolean found = params.getTrustAnchors()
                              .stream()
                              .map(TrustAnchor::getTrustedCert)
                              .anyMatch(trustedCert -> trustedCert.equals(certificate));

        if (found) {
            System.out.println("The certificate is present on the keystore.");
        } else {
            System.out.println("Can't found the certificate on the keystore.");
        }
    }
}