If you look in your JDK installation directory you will find a keystore called "cacerts" in %JDK_ROOT%/jre/lib/security. This keystore contains all the root certificates used when validating regular web pages. This is the one used by default for operations such as opening SSL connections.
Now some tools, <cough> the HTTP Analyser in JDeveloper </cough>, might have a bug that prevents it from using a keystore that doesn't have a password. But it is a easy step to import all of the certificates into a keystore that contains a password.
keytool -importkeystore -srckeystore cacerts -destkeystore /tmp/output.keystore -deststorepass welcome