Keystore Change Passwords

Keystore change passwords

Keystore only has one password. You can change it using keytool:

keytool -storepasswd -keystore my.keystore

To change the key's password:

keytool -keypasswd  -alias <key_name> -keystore my.keystore

How to change Java Keystore(JKS) keystore and alias password so that they work

The error you are seeing is because you might have provided wrong keystore-password in the command.

A basic understanding of how and what JKS is. A JKS (Java KeyStore) is basically a file that protects secret keys (symmetric keys), key pairs (asymmetric keys) and certificates. The way it protects them is by a password, this password is called a keystore-password. And the keys within the JKS file can also be protected individually, which means they can have their own password, which is called a key-password.

The way to change the keystore-password:

keytool -storepasswd -keystore [KEYSTORE] -storepass [OLD_KEYSTORE_PASSWORD] -new [NEW_KEYSTORE_PASSWORD]

The way to change the key-password:

keytool -keypasswd -keystore [KEYSTORE] -storepass [KEYSTORE_PASSWORD] -alias [ALIAS] -keypass [OLD_KEY_PASSWORD] -new [NEW_KEY_PASSWORD]

These are the properties related to securing the spring-boot application. You have to define the keystore-password and key-password in those properties.

server.ssl.ciphers= # Supported SSL ciphers.
server.ssl.client-auth= # Client authentication mode.
server.ssl.enabled=true # Whether to enable SSL support.
server.ssl.enabled-protocols= # Enabled SSL protocols.
server.ssl.key-alias= # Alias that identifies the key in the key store.
server.ssl.key-password= # Password used to access the key in the key store.
server.ssl.key-store= # Path to the key store that holds the SSL certificate (typically a jks file).
server.ssl.key-store-password= # Password used to access the key store.
server.ssl.key-store-provider= # Provider for the key store.
server.ssl.key-store-type= # Type of the key store.
server.ssl.protocol=TLS # SSL protocol to use.
server.ssl.trust-store= # Trust store that holds SSL certificates.
server.ssl.trust-store-password= # Password used to access the trust store.
server.ssl.trust-store-provider= # Provider for the trust store.
server.ssl.trust-store-type= # Type of the trust store.

You can find all the spring-boot properties in the documentation here.

If you look at the properties, there is server.ssl.key-store-password and server.ssl.key-password. You can ask the users to set those two values after they change the global JKS password.

Does changing the Keystore value change the key password?

No. Changing the keystore password doesn't change the key password automatically. You have to issue the respective change keystore password (-storepasswd) and change key password (-keypasswd) separately.

The internet standard for the PKCS12 keystore format is it has only 1 entry, and the keystore password is the same as the key password.

The way I've seen keytool work is, it doesn't need the storetype attribute when you change the keystore or key password. But when you supply the storetype attribute as PKCS12 it actually complains if you supply the keypass attribute, saying that it will not honor it.

So to answer your question to change the key password, don't supply the storetype attribute. Your command should look like:

keytool -keypasswd -keystore [p12Keystore] -storepass [oldPassword] -new [newPassword] -alias [entry]

Change keystore password from no password to a non blank password

Add -storepass to keytool arguments.

keytool -storepasswd -storepass '' -keystore mykeystore.jks

But also notice that -list command does not always require a password. I could execute follow command in both cases: without password or with valid password

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

how to change PKCS12 keystore password using keytool?

You can import the PKCS12 file to another PKCS12 where you can give new password for new PKCS12 file. Then you can use the new PKCS12 file or delete the previous one and rename the new file name with the old file name. Its not a straight forward way, but it fulfills the objective.A sample code is given bewlow

keytool -importkeystore -srckeystore DocCA.p12 -srcstoretype PKCS12 -srcstorepass 123456 -destkeystore DocCA2.p12 -deststoretype PKCS12 -deststorepass 11223344

Here, DocCA.p12 is the existing PKCS12 with password 123456 which is exported in the DocCA2.p12 file with password 11223344.

Android keystore password change

If you are using the same keystore for signing your application before pushing it to the play store, it should be fine.

Changing Keystore's password or alias password doesn't affect the way it is used to generate the signed apk.

In order to update the password using keytool:

Open cmd prompt
Browse to the location of the keytool / set the location of keytool in the path variable under the system variables and directly go to step 3
Run the following command:

keytool -keypass "previous password" -new "new password" -keystore "keystore location"

Security Note

As mentioned in vlz's comment below.

You should not include your password in the command because it'll be written to your command history (~/.bash_history).

Instead, you can use the below command (safely prompt for a password):

keytool -storepasswd -keystore "keystore location"

Recovery plan

Make sure to backup your keystore file first.

Keystore Change Passwords