Using an Empty Keystore Password Used to Be Possible

Is it possible to create JKS keystore file without a password?

You cannot create a keystore with a blank password with keytool since a while, but you can still do it programmatically.

Read a cert like this:

private static Certificate readCert(String path) throws IOException, CertificateException {
    try (FileInputStream fin = new FileInputStream(path)) {
        return CertificateFactory.getInstance("X.509").generateCertificate(fin);
    }
}

Than create the keystore with the empty password like this:

try {
    // Reading the cert
    Certificate cert = readCert("/tmp/cert.cert");

    // Creating an empty JKS keystore
    KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
    keystore.load(null, null);

    // Adding the cert to the keystore
    keystore.setCertificateEntry("somecert", cert);

    // Saving the keystore with a zero length password
    FileOutputStream fout = new FileOutputStream("/tmp/keystore");
    keystore.store(fout, new char[0]);
} catch (GeneralSecurityException | IOException e) {
    // TODO Auto-generated catch block
    e.printStackTrace();
}

Run the command:

keytool -list -keystore keystore

It will ask for a password but you can simply push an enter. You will get the following warning, but the content of the keystore will be listed:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

This might work for you.

Do you not need a password to access a truststore (made with the java keytool)?

The password is used to protect the integrity of a keystore. if you don't provide any store password, you can still read the contents of the keystore. The command keytool -list demonstrates this behavior (use it with an empty password).

Liberty - Can the keystore password be blank? String of length zero?

Using an empty string in your case I think will to load the keystore with empty string. The error you are getting is basically a bad password error, the error will be different depending the level of the JDK you are using. So with PKCS12 keystore even if the keystore is loaded with no password you can't get any cert inside of it, at least that's my experience with PKCS12. In JKS keystore you can access cert entries but not key entries.

In more recent Liberty levels the password is not required. And will load a JKS keystore without a password. But that keystore would not be able to used by a key manager, you need a password to access a key.

Is there a way to make keytool not prompt for password for the key?

There are parameters to specify key and store passwords

-keypass <your-pass> and -storepass <your-pass>

E.g.

keytool -storepass pass123 -keypass pass123 -keystore keystore.jks -alias myalias -validity 99 -genkey -noprompt

keytool reference

Java SSL truststore seems to be accessible without specifying password?

Password is not required to read a trust store. No private key is involved.

You still need password to modify a trust store. Also, when reading a trust store, if the password is provided, it can be used to verify the integrity of the trust store.

ref - http://bayou.io/release/0.9/javadoc/bayou/ssl/SslConf.html#trustStorePass-java.lang.String-

How to create an empty java trust store?

Using keytool, create a random key pair:

keytool -genkeypair -alias boguscert -storepass storePassword -keypass secretPassword -keystore emptyStore.keystore -dname "CN=Developer, OU=Department, O=Company, L=City, ST=State, C=CA"

then delete it

keytool -delete -alias boguscert -storepass storePassword -keystore emptyStore.keystore

review its contents:

$ keytool -list -keystore emptyStore.keystore -storepass storePassword
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 0 entries

---

Related Topics