One possible solution that I found is to import some random certificate into the newly created trust store using keytool import, and then remove the imported certificate from it. This leaves you with a blank key / trust store. Unfortunately, the JVM is unhappy with the empty trust store and throws an exception. Therefore, in order to achieve the goal, at least one certificate must be present, which can be any invalid or expired.