Change keystore password with Java keytool

What is Java keytool?

The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to change a keystore password, key password, or both. In many respects, it’s a competing utility with openssl for keystore, key, and certificate management.

When should you change the keystore password or key password in the keystore?

You should change the keystore password or key password as a regular practice, just like key rotation. The keys being protected by the keystore should also be rotated, separate of the keystore password. If you have encountered a compromise of your keystore password, you MUST immediately rotate all keys being protected by the keystore. Only changing the keystore password is not enough in this case.

You should strongly consider changing a private key password to match the keystore password as many utilities will not work if they are different.

What keytool command do I use to change keystore password?

This command changes the keystore password on a pkcs12 (p12) keystore. An common alternate file extension for a pkcs12 (p12) keystore is .pfx.

keytool -storepasswd \
 -new changed \
 -keystore example.p12 \
 -storepass changeit \
 -storetype PKCS12 \
 -v

Java keytool options:

-new – The new password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-keystore – The keystore file.

-storepass – The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

-v – Verbose

What keytool command do I use to change key password in a JKS keystore?

Most of our examples work with PKCS12 store types. For this specific exercise, we are working with a JKS store type to demonstrate how to use the -keypasswd command as JKS is the only supported store type for this command.

keytool -keypasswd \
 -alias example.com \
 -keypass changeit \
 -new changed \
 -keystore example.jks \
 -storepass changed \
 -storetype JKS \
 -v

Java keytool options:

-alias – The alias of the key whose password is being changed

-keypass – The current key password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-new – The new key password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-keystore – The keystore file.

-storepass – The keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type JKS.

-v – Verbose

What keytool command do I use to change key password in a PKCS12 keystore?

Unfortunately, the -keypasswd command is not supported for PKCS12 passwords. If you try, you will receive the following error: “keytool error: java.lang.UnsupportedOperationException: -keypasswd commands not supported if -storetype is PKCS12”

Instead, you must import the PKCS12 keystore into a new keystore giving it a new password.

keytool -importkeystore \
 -srckeystore example.p12 \
 -srcstoretype PKCS12 \
 -srcstorepass changed \
 -destkeystore newexample.p12 \
 -deststoretype PKCS12 \
 -deststorepass changedagain \
 -destkeypass changedagain

Java keytool options:

-srckeystore – The current keystore file.

-srcstoretype – The current keystore type. Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

-srcstorepass – The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-destkeystore – The new keystore file.

-deststoretype – The new keystore type. Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

-deststorepass – The new keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-destkeypass – The keystore password. This must be included and set to equal the -deststorepass, else the key password will not be updated and will cause a corrupt keystore.

Here are the official keytool docs to dive further into how to change keystore password. https://docs.oracle.com/javase/10/tools/keytool.htm#GUID-5990A2E4-78E3-47B7-AE75-6D1826259549__MANAGETHEKEYSTORE-507D231A

Read all of our blog content.