diff --git a/oracle-jdk/files/cacerts-jdk7 b/oracle-jdk/files/cacerts-jdk7
new file mode 100644
index 0000000..0d9c011
Binary files /dev/null and b/oracle-jdk/files/cacerts-jdk7 differ
diff --git a/oracle-jdk/tasks/main.yml b/oracle-jdk/tasks/main.yml
index 89972d3..bcd797d 100644
--- a/oracle-jdk/tasks/main.yml
+++ b/oracle-jdk/tasks/main.yml
@@ -44,14 +44,18 @@
     - name: Set fact jdk_installed
       set_fact: jdk_installed=True
 
-    - name: Get the Letsencrypt cross signed X3 CA certificate
-      get_url: url='https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.der' dest=/srv/lets-encrypt-x3-cross-signed.der
-      when: jdk_default <= 7
-
-    - name: Change the default keyring. Insert the Letsencrypt X3 cross signed CA certificate
-      shell: keytool -trustcacerts -keystore {{ jdk_java_home }}/jre/lib/security/cacerts -storepass changeit -noprompt -importcert -alias lets-encrypt-x3-cross-signed -file /srv/lets-encrypt-x3-cross-signed.der
-      when:
-        - ( jdk_install | changed )
-        - jdk_default <= 7
-
   tags: [ 'oracle_jdk', 'jdk' ]
+
+- block:
+    - name: Install a default keyring that includes the Letsencrypt X3 cross signed CA and the INFN CA certificate
+      copy: src=cacerts-jdk7 dest={{ jdk_java_home }}/jre/lib/security/cacerts owner=root group=root mode=0644
+
+  when: jdk_default <= 7 
+  tags: [ 'oracle_jdk', 'jdk', 'jdk_cacert' ]
+
+- block:
+    - name: Change the default keyring. Insert the INFN CA certificate
+      shell: keytool -list -keystore {{ jdk_java_home }}/jre/lib/security/cacerts  -storepass changeit -noprompt | grep infn-ca-2015 ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then keytool -trustcacerts -keystore {{ jdk_java_home }}/jre/lib/security/cacerts -storepass changeit -noprompt -importcert -alias infn-ca-2015-2030 -file /usr/local/share/ca-certificates/infn-ca-2015.crt ; fi
+
+  when: jdk_default >= 8
+  tags: [ 'oracle_jdk', 'jdk', 'jdk_cacert' ]