Keystore change passwords
Keystore only has one password. You can change it using keytool:
keytool -storepasswd -keystore my.keystore
To change the key's password:
keytool -keypasswd -alias <key_name> -keystore my.keystore
How to change Java Keystore(JKS) keystore and alias password so that they work
The error you are seeing is because you might have provided wrong keystore-password
in the command.
A basic understanding of how and what JKS
is. A JKS (Java KeyStore) is basically a file that protects secret keys (symmetric keys), key pairs (asymmetric keys) and certificates. The way it protects them is by a password, this password is called a keystore-password
. And the keys within the JKS file can also be protected individually, which means they can have their own password, which is called a key-password
.
The way to change the keystore-password:
keytool -storepasswd -keystore [KEYSTORE] -storepass [OLD_KEYSTORE_PASSWORD] -new [NEW_KEYSTORE_PASSWORD]
The way to change the key-password:
keytool -keypasswd -keystore [KEYSTORE] -storepass [KEYSTORE_PASSWORD] -alias [ALIAS] -keypass [OLD_KEY_PASSWORD] -new [NEW_KEY_PASSWORD]
These are the properties related to securing the spring-boot application. You have to define the keystore-password and key-password in those properties.
server.ssl.ciphers= # Supported SSL ciphers.
server.ssl.client-auth= # Client authentication mode.
server.ssl.enabled=true # Whether to enable SSL support.
server.ssl.enabled-protocols= # Enabled SSL protocols.
server.ssl.key-alias= # Alias that identifies the key in the key store.
server.ssl.key-password= # Password used to access the key in the key store.
server.ssl.key-store= # Path to the key store that holds the SSL certificate (typically a jks file).
server.ssl.key-store-password= # Password used to access the key store.
server.ssl.key-store-provider= # Provider for the key store.
server.ssl.key-store-type= # Type of the key store.
server.ssl.protocol=TLS # SSL protocol to use.
server.ssl.trust-store= # Trust store that holds SSL certificates.
server.ssl.trust-store-password= # Password used to access the trust store.
server.ssl.trust-store-provider= # Provider for the trust store.
server.ssl.trust-store-type= # Type of the trust store.
You can find all the spring-boot properties in the documentation here.
If you look at the properties, there is server.ssl.key-store-password
and server.ssl.key-password
. You can ask the users to set those two values after they change the global JKS password.
Does changing the Keystore value change the key password?
No. Changing the keystore password doesn't change the key password automatically. You have to issue the respective change keystore password (-storepasswd
) and change key password (-keypasswd
) separately.
The internet standard for the PKCS12 keystore format is it has only 1 entry, and the keystore password is the same as the key password.
The way I've seen keytool
work is, it doesn't need the storetype
attribute when you change the keystore or key password. But when you supply the storetype
attribute as PKCS12
it actually complains if you supply the keypass
attribute, saying that it will not honor it.
So to answer your question to change the key password, don't supply the storetype
attribute. Your command should look like:
keytool -keypasswd -keystore [p12Keystore] -storepass [oldPassword] -new [newPassword] -alias [entry]
Change keystore password from no password to a non blank password
Add -storepass to keytool arguments.
keytool -storepasswd -storepass '' -keystore mykeystore.jks
But also notice that -list command does not always require a password. I could execute follow command in both cases: without password or with valid password
$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
how to change PKCS12 keystore password using keytool?
You can import the PKCS12 file to another PKCS12 where you can give new password for new PKCS12 file. Then you can use the new PKCS12 file or delete the previous one and rename the new file name with the old file name. Its not a straight forward way, but it fulfills the objective.A sample code is given bewlow
keytool -importkeystore -srckeystore DocCA.p12 -srcstoretype PKCS12 -srcstorepass 123456 -destkeystore DocCA2.p12 -deststoretype PKCS12 -deststorepass 11223344
Here, DocCA.p12 is the existing PKCS12 with password 123456 which is exported in the DocCA2.p12 file with password 11223344.
Android keystore password change
If you are using the same keystore for signing your application before pushing it to the play store, it should be fine.
Changing Keystore's password or alias password doesn't affect the way it is used to generate the signed apk.
In order to update the password using keytool:
- Open cmd prompt
- Browse to the location of the keytool / set the location of keytool in the path variable under the system variables and directly go to step 3
- Run the following command:
keytool -keypass "previous password" -new "new password" -keystore "keystore location"
Security Note
As mentioned in vlz's comment below.
You should not include your password in the command because it'll be written to your command history (~/.bash_history).
Instead, you can use the below command (safely prompt for a password):keytool -storepasswd -keystore "keystore location"
Recovery plan
Make sure to backup your keystore file first.
Related Topics
What's the Correct Way to Send a File from Rest Web Service to Client
How to Match "Any Character" in Regular Expression
Java 8: Where Is Trifunction (And Kin) in Java.Util.Function? or What Is the Alternative
How to Get Current Working Directory in Java
Does Java Have a Int.Tryparse That Doesn't Throw an Exception for Bad Data
What Does Class<> Mean in Java
Default Fetch Type for One-To-One, Many-To-One and One-To-Many in Hibernate
Implementation Difference Between Aggregation and Composition in Java
Are There Inline Functions in Java
Calling Super Super Class Method
When Is It Ok to Catch Nullpointerexception
Java 'Final' Method: What Does It Promise
Java.Lang.Verifyerror: Expecting a Stackmap Frame at Branch Target Jdk 1.7
How to Change the Size of the Font of a Jlabel to Take the Maximum Size