diff --git a/debian/ca-certificates-java.postinst b/debian/ca-certificates-java.postinst
index 963e248117170f5165891f44030d7a5fd790cb0f..f53c4ee61255618b8afa23287f5571f796f1dc6d 100644
--- a/debian/ca-certificates-java.postinst
+++ b/debian/ca-certificates-java.postinst
@@ -18,37 +18,6 @@ LOCALCERTSDIR=/usr/local/share/ca-certificates
 ETCCERTSDIR=/etc/ssl/certs
 CACERTS=$ETCCERTSDIR/java/cacerts
 
-setup_path()
-{
-	for version in 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ; do
-		for jvm in \
-			java-${version}-openjdk-${arch} \
-			java-${version}-openjdk \
-			oracle-java${version}-jre-${arch} \
-			oracle-java${version}-server-jre-${arch} \
-			oracle-java${version}-jdk-${arch}
-		do
-			if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
-				export JAVA_HOME=/usr/lib/jvm/$jvm
-				PATH=$JAVA_HOME/bin:$PATH
-				# copy java.security to allow import to function
-				security_conf=/etc/java-${version}-openjdk/security
-				if [ -f ${security_conf}/java.security.dpkg-new ] \
-					&& [ ! -f ${security_conf}/java.security ]; then
-						cp ${security_conf}/java.security.dpkg-new \
-							${security_conf}/java.security
-				fi
-				break 2
-			fi
-		done
-	done
-
-	if ! which java >/dev/null; then
-		echo "No JRE found. Skipping Java certificates setup."
-		exit 0
-	fi
-}
-
 check_proc()
 {
     if ! mountpoint -q /proc; then
@@ -97,7 +66,10 @@ update_cacerts()
 		exit 0
 	fi
 
-	setup_path
+	if ! which java >/dev/null; then
+		echo "No JRE found. Skipping Java certificates setup."
+		exit 0
+	fi
 
 	if [ -f /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks ]; then
 		convert_pkcs12_keystore_to_jks
@@ -110,7 +82,17 @@ update_cacerts()
 
 		if [ -f "$CACERTS" ]; then
 			check_proc
-			cacerts_aliases=$(keytool -cacerts -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
+
+			# Java 8 does not have -cacerts option
+			if java -version 2>&1 | grep "1.8" > /dev/null ;
+			then
+				castore="-keystore ${CACERTS}"
+			else
+				castore="-cacerts"
+			fi
+
+			cacerts_aliases=$(keytool ${castore} -storepass "$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
+
 			etc_ssl_certs_aliases=$(for pem in $pem_files ; do echo -n "$(basename "$pem" | tr A-Z a-z) "; done)
 			for alias in $cacerts_aliases ; do
 				case " $etc_ssl_certs_aliases " in
@@ -184,5 +166,9 @@ if [ "$1" = "triggered" ]; then
 			;;
 	esac
 
+	if [ ! -f $CACERTS ]; then
+		touch /var/lib/ca-certificates-java/fresh
+	fi
+
 	update_cacerts
 fi
diff --git a/debian/ca-certificates-java.triggers b/debian/ca-certificates-java.triggers
index bde4336df1ca051d89c268630a05372918139c82..e97bbf51db5188d90a9074dd03d12cc25b187006 100644
--- a/debian/ca-certificates-java.triggers
+++ b/debian/ca-certificates-java.triggers
@@ -1,3 +1,2 @@
-interest update-ca-certificates-java
-interest update-ca-certificates-java-fresh
-interest /usr/lib/jvm
+interest-await update-ca-certificates-java
+interest-await update-ca-certificates-java-fresh
diff --git a/debian/changelog b/debian/changelog
index d6bb30fb1e40a9ddf9e40afbf6b560fbf4d5d5ab..262bc715a71a2db1bf04f458f0565eef5b4687ee 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,38 @@
+ca-certificates-java (20230710~deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for bookworm.  (Closes: #1041419, #1037478, #929685)
+
+ -- Andreas Beckmann <anbe@debian.org>  Sun, 03 Dec 2023 13:04:00 +0100
+
+ca-certificates-java (20230710) unstable; urgency=medium
+
+  * Add apt-utils to the test dependencies.
+
+ -- Matthias Klose <doko@debian.org>  Mon, 10 Jul 2023 09:59:59 +0200
+
+ca-certificates-java (20230707) unstable; urgency=medium
+
+  [ Vladimir Petko ]
+  * Resolve circular JRE dependency:
+    - debian/ca-certificates-java.postinst: remove setup_path from "configure"
+      stage.
+    - debian/ca-certificates-java.postinst: do "fresh" update if cacerts file is
+      not found. Certificates are refreshed only in response to the trigger
+      activated by OpenJDK packages.
+    - debian/ca-certificates-java.postinst: fix cacert enumeration command for
+      Java 8.
+    - debian/control: remove JRE dependency.
+    - debian/control: add Breaks condition.
+    - debian/tests: add smoke tests.
+    - debian/ca-certificates-java.triggers: remove file trigger /usr/jvm,
+      explicitly declare triggers as -await.
+
+  [ Matthias Klose ]
+  * Adjust the breaks for Debian versions.
+
+ -- Matthias Klose <doko@debian.org>  Fri, 07 Jul 2023 11:13:17 +0200
+
 ca-certificates-java (20230620~deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/control b/debian/control
index 88c04e98ade6b113d9517bba93b62ef5fc2ddd96..6d93f7bee9c6453ab159e6e598242c3ba0db96fc 100644
--- a/debian/control
+++ b/debian/control
@@ -20,7 +20,13 @@ Multi-Arch: foreign
 Depends:
  ca-certificates (>= 20210120),
  ${misc:Depends},
- default-jre-headless (>= 2:1.8) | java8-runtime-headless,
+Breaks: openjdk-8-jre-headless  (<< 8u382~b04-2~),
+        openjdk-11-jre-headless (<< 11.0.19+7~1~),
+        openjdk-17-jre-headless (<< 17.0.8~6-3~),
+        openjdk-18-jre-headless (<< 18.0.2+9-2ubuntu1~),
+        openjdk-19-jre-headless (<< 19.0.2+7-0ubuntu4~),
+        openjdk-20-jre-headless (<< 20.0.1+9~1~),
+        openjdk-21-jre-headless (<< 21~9ea-1~)
 Description: Common CA certificates (JKS keystore)
  This package uses the hooks of the ca-certificates package to update the
  cacerts JKS keystore used for many java runtimes.
diff --git a/debian/tests/can-convert-keystore b/debian/tests/can-convert-keystore
new file mode 100644
index 0000000000000000000000000000000000000000..b5cdf80e945b8e112314a238ec9a65ba55410f12
--- /dev/null
+++ b/debian/tests/can-convert-keystore
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+# GIVEN a PKCS12 Java keystore
+ETCCERTSDIR=/etc/ssl/certs
+CACERTS=$ETCCERTSDIR/java/cacerts
+rm $CACERTS
+keytool -importcert -noprompt -alias Amazon -file /etc/ssl/certs/Amazon_Root_CA_1.pem -trustcacerts -storepass changeit -storetype PKCS12 -keystore test.store 2> /dev/null
+apt-get remove -y ca-certificates-java
+
+mkdir -p /etc/ssl/certs/java/
+mkdir -p /var/lib/ca-certificates-java/
+mv test.store $CACERTS
+# WHEN ca-certificates-java is requested to convert the keystore
+touch /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks
+
+# THEN conversion is successful
+output=`mktemp`
+apt-get install -y openjdk-8-jre-headless | tee ${output}
+
+if [[ $(grep -L "Entry for alias amazon successfully imported." ${output}) ]];
+then
+    echo "Certificates were not imported !!!"
+    exit 255
+fi
diff --git a/debian/tests/can-install-jre b/debian/tests/can-install-jre
new file mode 100644
index 0000000000000000000000000000000000000000..ce6879e56ab19c7840619d7e49912058c327884a
--- /dev/null
+++ b/debian/tests/can-install-jre
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+versions=$(apt-cache search jre-headless | awk '{print $1}')
+for version in ${versions}
+do
+# WHEN openjdk-jre-headless package is installed from scratch
+
+    # Java 18 is EOL 09.2022 but is present in Lunar so that we could do clean
+    # builds. Ignore it in certificate tests
+    if [[ ${version} == "openjdk-18-jre-headless" ]];
+    then
+        continue
+    fi
+    output=`mktemp`
+    echo "installing ${version}"
+    apt-get install -y ${version} | tee ${output}
+# THEN installation is successfull
+# AND certificates are updated
+    if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then
+        echo "Certificates were not imported !!!"
+        exit 255
+    fi
+    rm $output
+    # purge in order to remove keytstore
+    apt-get purge -y ca-certificates-java ${version}
+done
diff --git a/debian/tests/can-install-libreoffice b/debian/tests/can-install-libreoffice
new file mode 100644
index 0000000000000000000000000000000000000000..2177e150c271fec15270948c6d3125286dded168
--- /dev/null
+++ b/debian/tests/can-install-libreoffice
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+apt-get install -y libreoffice
diff --git a/debian/tests/can-install-multiple-jdks b/debian/tests/can-install-multiple-jdks
new file mode 100644
index 0000000000000000000000000000000000000000..977b40b779398d0e18c1f75dec5478cf32af77c8
--- /dev/null
+++ b/debian/tests/can-install-multiple-jdks
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+output=`mktemp`
+# WHEN multiple JDKs are installed
+apt-get install -y openjdk-11-jdk openjdk-17-jdk openjdk-8-jdk | tee ${output}
+
+# THEN installation is successful
+if [[ $(grep -L "Adding debian:Amazon_Root_CA_1.pem" ${output}) ]]; then
+    echo "Certificates were not imported !!!"
+    exit 255
+fi
+rm $output
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000000000000000000000000000000000000..1a51f2e91baf77d5b38d1f232d6e292033ddd9b0
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,9 @@
+Tests: can-convert-keystore
+Depends: apt-utils, bash, default-jre-headless
+Restrictions: needs-root
+
+Tests: can-install-jre, can-install-multiple-jdks, can-install-libreoffice
+# No depends, this is a test for a clean install
+Depends: apt-utils, bash
+Restrictions: needs-root
+