googleapis · ldetmer · Feb 10, 2026 · Feb 10, 2026
@@ -47,7 +47,7 @@ For instructions on setting up your credentials properly, see the
 already have an access token, you can make a request in the following way:
 
 ```java
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.http.javanet.NetHttpTransport;
 import com.google.api.client.json.gson.GsonFactory;
 import com.google.api.services.books.Books;
 import com.google.auth.http.HttpCredentialsAdapter;
@@ -59,7 +59,7 @@ GoogleCredentials credentials =
 
 Books books =
     new Books.Builder(
-            GoogleNetHttpTransport.newTrustedTransport(),
+            new NetHttpTransport(),
             GsonFactory.getDefaultInstance(),
             new HttpCredentialsAdapter(credentials))
         .setApplicationName("BooksExample/1.0")
@@ -79,7 +79,7 @@ App Engine takes care of all of the details. You only specify the OAuth 2.0
 scope you need.
 
 ```java
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.http.javanet.NetHttpTransport;
 import com.google.api.client.json.gson.GsonFactory;
 import com.google.api.services.books.Books;
 import com.google.appengine.api.appidentity.AppIdentityService;
@@ -99,7 +99,7 @@ GoogleCredentials credentials =
 
 Books books =
     new Books.Builder(
-            GoogleNetHttpTransport.newTrustedTransport(),
+            new NetHttpTransport(),
             GsonFactory.getDefaultInstance(),
             new HttpCredentialsAdapter(credentials))
         .setApplicationName("BooksExample/1.0")
@@ -373,7 +373,7 @@ a private key downloaded from the [Google API Console][console].
 For example, you can make a request in the following way:
 
 ```java
-HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
+HttpTransport httpTransport = new NetHttpTransport();
 JsonFactory jsonFactory = GsonFactory.getDefaultInstance();
 
 //Build service account credential
@@ -405,12 +405,12 @@ additionally call [`GoogleCredential.Builder.setServiceAccountUser(String)`][set
 
 This is the command-line authorization code flow described in [Using OAuth 2.0 for Installed Applications][oauth2-installed-app].
 
-Example snippet from [plus-cmdline-sample][plus-sample]:
+Example usage:
 
 ```java
 public static void main(String[] args) {
   try {
-    httpTransport = GoogleNetHttpTransport.newTrustedTransport();
+    httpTransport = new NetHttpTransport();
     dataStoreFactory = new FileDataStoreFactory(DATA_STORE_DIR);
     // authorization
     Credential credential = authorize();

@@ -14,10 +14,8 @@
 
 package com.google.api.client.googleapis.apache.v5;
 
-import com.google.api.client.googleapis.GoogleUtils;
 import com.google.api.client.googleapis.mtls.MtlsProvider;
 import com.google.api.client.googleapis.mtls.MtlsUtils;
-import com.google.api.client.googleapis.util.Utils;
 import com.google.api.client.http.apache.v5.Apache5HttpTransport;
 import com.google.api.client.util.SslUtils;
 import com.google.common.annotations.Beta;
@@ -48,11 +46,8 @@
 public final class GoogleApache5HttpTransport {
 
   /**
-   * Returns a new instance of {@link Apache5HttpTransport} that uses {@link
-   * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. If
-   * `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to "true", and the default
-   * client certificate key store from {@link Utils#loadDefaultMtlsKeyStore()} is not null, then the
-   * transport uses the default client certificate and is mutual TLS.
+   * Returns a new instance of {@link Apache5HttpTransport} that uses default jdk certificates for
+   * the trusted certificates.
    */
   public static Apache5HttpTransport newTrustedTransport()
       throws GeneralSecurityException, IOException {
@@ -61,9 +56,8 @@ public static Apache5HttpTransport newTrustedTransport()
 
   /**
    * {@link Beta} <br>
-   * Returns a new instance of {@link Apache5HttpTransport} that uses {@link
-   * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. mtlsProvider can be used
-   * to configure mutual TLS for the transport.
+   * Returns a new instance of {@link Apache5HttpTransport} that uses default jdk certificates
+   * for the trusted certificates. mtlsProvider can be used to configure mutual TLS for the transport.
    *
    * @param mtlsProvider MtlsProvider to configure mutual TLS for the transport
    */
@@ -109,22 +103,20 @@ public SocketFactoryRegistryHandler(MtlsProvider mtlsProvider)
         mtlsKeyStorePassword = mtlsProvider.getKeyStorePassword();
       }
 
-      // Use the included trust store
-      KeyStore trustStore = GoogleUtils.getCertificateTrustStore();
       SSLContext sslContext = SslUtils.getTlsSslContext();
 
       if (mtlsKeyStore != null && mtlsKeyStorePassword != null) {
         this.isMtls = true;
         SslUtils.initSslContext(
             sslContext,
-            trustStore,
+            null,
             SslUtils.getPkixTrustManagerFactory(),
             mtlsKeyStore,
             mtlsKeyStorePassword,
             SslUtils.getDefaultKeyManagerFactory());
       } else {
         this.isMtls = false;
-        SslUtils.initSslContext(sslContext, trustStore, SslUtils.getPkixTrustManagerFactory());
+        SslUtils.initSslContext(sslContext, null, SslUtils.getPkixTrustManagerFactory());
       }
       LayeredConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);
 

@@ -30,10 +30,11 @@
 public class ITGoogleApache5HttpTransportTest {
 
   @Test
-  public void testHttpRequestFailsWhenMakingRequestToSiteWithoutGoogleCerts()
+  public void testHttpRequestFailsWhenMakingRequestToSiteWithoutDefaultJdkCerts()
       throws GeneralSecurityException, IOException {
     Apache5HttpTransport apache5HttpTransport = GoogleApache5HttpTransport.newTrustedTransport();
-    HttpGet httpGet = new HttpGet("https://maven.com/");
+    // Use a self-signed certificate site that won't be trusted by default trust store
+    HttpGet httpGet = new HttpGet("https://self-signed.badssl.com/");
     Exception exception = null;
     try {
       apache5HttpTransport
@@ -43,7 +44,7 @@ public void testHttpRequestFailsWhenMakingRequestToSiteWithoutGoogleCerts()
               new HttpClientResponseHandler<Void>() {
                 @Override
                 public Void handleResponse(ClassicHttpResponse response) {
-                  fail("Should not have been able to complete SSL request on non google site.");
+                  fail("Should not have been able to complete SSL request with untrusted cert.");
                   return null;
                 }
               });

@@ -14,10 +14,8 @@
 
 package com.google.api.client.googleapis.apache.v2;
 
-import com.google.api.client.googleapis.GoogleUtils;
 import com.google.api.client.googleapis.mtls.MtlsProvider;
 import com.google.api.client.googleapis.mtls.MtlsUtils;
-import com.google.api.client.googleapis.util.Utils;
 import com.google.api.client.http.apache.v2.ApacheHttpTransport;
 import com.google.api.client.util.Beta;
 import com.google.api.client.util.SslUtils;
@@ -47,11 +45,8 @@
 public final class GoogleApacheHttpTransport {
 
   /**
-   * Returns a new instance of {@link ApacheHttpTransport} that uses {@link
-   * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. If
-   * `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to "true", and the default
-   * client certificate key store from {@link Utils#loadDefaultMtlsKeyStore()} is not null, then the
-   * transport uses the default client certificate and is mutual TLS.
+   * Returns a new instance of {@link ApacheHttpTransport} that uses default jdk certs for the
+   * trusted certificates.
    */
   public static ApacheHttpTransport newTrustedTransport()
       throws GeneralSecurityException, IOException {
@@ -60,8 +55,8 @@ public static ApacheHttpTransport newTrustedTransport()
 
   /**
    * {@link Beta} <br>
-   * Returns a new instance of {@link ApacheHttpTransport} that uses {@link
-   * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. mtlsProvider can be used
+   * Returns a new instance of {@link ApacheHttpTransport} that default jdk certs for the
+   * trusted certificates. mtlsProvider can be used
    * to configure mutual TLS for the transport.
    *
    * @param mtlsProvider MtlsProvider to configure mutual TLS for the transport
@@ -105,22 +100,20 @@ public SocketFactoryRegistryHandler(MtlsProvider mtlsProvider)
         mtlsKeyStorePassword = mtlsProvider.getKeyStorePassword();
       }
 
-      // Use the included trust store
-      KeyStore trustStore = GoogleUtils.getCertificateTrustStore();
       SSLContext sslContext = SslUtils.getTlsSslContext();
 
       if (mtlsKeyStore != null && mtlsKeyStorePassword != null) {
         this.isMtls = true;
         SslUtils.initSslContext(
             sslContext,
-            trustStore,
+            null,
             SslUtils.getPkixTrustManagerFactory(),
             mtlsKeyStore,
             mtlsKeyStorePassword,
             SslUtils.getDefaultKeyManagerFactory());
       } else {
         this.isMtls = false;
-        SslUtils.initSslContext(sslContext, trustStore, SslUtils.getPkixTrustManagerFactory());
+        SslUtils.initSslContext(sslContext, null, SslUtils.getPkixTrustManagerFactory());
       }
       LayeredConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);