Hi Paolo,
With the recent scanner CLI versions, we are trying to decouple from Java. The new supported way to configure extra server certificates is to put the server certificate in a separate pkcs12 keystore (not the JRE cacerts).
The default location is ~/.sonar/ssl/truststore.p12 (password sonar) but you can also use the scanner properties sonar.scanner.truststorePath and sonar.scanner.truststorePassword to pass custom values.
Our idea was that users would prepare the p12 keystore outside the scanner docker image, and copy it to the image, or mount a volume. Another option will be to use openssl inside the scanner docker image to convert from PEM to p12, but this will only work after the next release of the Scanner CLI Docker, because of this issue.
We are happy to hear some feedback about that new approach.