diff --git a/certificate-analyser/src/main/java/org/zowe/apiml/Analyser.java b/certificate-analyser/src/main/java/org/zowe/apiml/Analyser.java
index 6f074c11c0..9f980a8cd3 100644
--- a/certificate-analyser/src/main/java/org/zowe/apiml/Analyser.java
+++ b/certificate-analyser/src/main/java/org/zowe/apiml/Analyser.java
@@ -19,6 +19,7 @@
 public class Analyser {
 
     public static int mainWithExitCode(String[] args) {
+        ensureSafkeyringHandler();
         try {
             ApimlConf conf = new ApimlConf();
             CommandLine cmd = new CommandLine(conf);
@@ -62,6 +63,20 @@ public static int mainWithExitCode(String[] args) {
         return 4;
     }
 
+    /**
+     * Registers the IBM SAF keyring URL protocol handler so that
+     * {@code new URL("safkeyring://...")} works on z/OS without requiring the
+     * caller to pass {@code -Djava.protocol.handler.pkgs=com.ibm.crypto.provider}.
+     * On non-z/OS platforms the handler class is simply not found and is ignored.
+     */
+    static void ensureSafkeyringHandler() {
+        String existing = System.getProperty("java.protocol.handler.pkgs", "");
+        if (!existing.contains("com.ibm.crypto.provider")) {
+            System.setProperty("java.protocol.handler.pkgs",
+                existing.isEmpty() ? "com.ibm.crypto.provider" : existing + "|com.ibm.crypto.provider");
+        }
+    }
+
     public static final void main(String[] args) {
         System.exit(mainWithExitCode(args));
     }
diff --git a/certificate-analyser/src/main/java/org/zowe/apiml/Stores.java b/certificate-analyser/src/main/java/org/zowe/apiml/Stores.java
index f05ddb2557..d3c879ab22 100644
--- a/certificate-analyser/src/main/java/org/zowe/apiml/Stores.java
+++ b/certificate-analyser/src/main/java/org/zowe/apiml/Stores.java
@@ -81,8 +81,14 @@ private void initTruststore() throws IOException, CertificateException, NoSuchAl
             }
             return;
         }
-        try (InputStream trustStoreIStream = new FileInputStream(conf.getTrustStore())) {
-            this.trustStore = readKeyStore(trustStoreIStream, conf.getTrustPasswd().toCharArray(), conf.getTrustStoreType());
+        if (isKeyring(conf.getTrustStore())) {
+            try (InputStream trustStoreIStream = keyRingUrl(conf.getTrustStore()).openStream()) {
+                this.trustStore = readKeyStore(trustStoreIStream, conf.getTrustPasswd().toCharArray(), conf.getTrustStoreType());
+            }
+        } else {
+            try (InputStream trustStoreIStream = new FileInputStream(conf.getTrustStore())) {
+                this.trustStore = readKeyStore(trustStoreIStream, conf.getTrustPasswd().toCharArray(), conf.getTrustStoreType());
+            }
         }
 
     }