I was deploying application on Tomcat7/OpenJDK. This application was accessing further secure services like SMTPS and HTTPS.
Tomcat was complaining that certificates are not correct (PKIX): the trustAnchors parameter must be non-empty.
Solution for Debian was quite easy after I found correct path to cacerts. Java cacerts for OpenJDK are stored in file: /etc/ssl/certs/java/cacerts.
To import certificate it is sufficient to use keytool:
keytool -import -keystore /etc/ssl/certs/java/cacerts -file cert.pem \ -alias ci.sinusgear.com
Then I restarted Tomcat and problem with trustAnchors disappeared.