• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

Change keystore password with Java keytool

April 1, 2022 by Mister PKI Leave a Comment

What is Java keytool?

The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to change a keystore password, key password, or both. In many respects, it’s a competing utility with openssl for keystore, key, and certificate management.

When should you change the keystore password or key password in the keystore?

You should change the keystore password or key password as a regular practice, just like key rotation. The keys being protected by the keystore should also be rotated, separate of the keystore password. If you have encountered a compromise of your keystore password, you MUST immediately rotate all keys being protected by the keystore. Only changing the keystore password is not enough in this case.

You should strongly consider changing a private key password to match the keystore password as many utilities will not work if they are different.

What keytool command do I use to change keystore password?

This command changes the keystore password on a pkcs12 (p12) keystore. An common alternate file extension for a pkcs12 (p12) keystore is .pfx.

keytool -storepasswd \
 -new changed \
 -keystore example.p12 \
 -storepass changeit \
 -storetype PKCS12 \
 -v

Java keytool options:

-new – The new password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-keystore – The keystore file.

-storepass – The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

-v – Verbose

keytool change password
keytool change store password

What keytool command do I use to change key password in a JKS keystore?

Most of our examples work with PKCS12 store types. For this specific exercise, we are working with a JKS store type to demonstrate how to use the -keypasswd command as JKS is the only supported store type for this command.

keytool -keypasswd \
 -alias example.com \
 -keypass changeit \
 -new changed \
 -keystore example.jks \
 -storepass changed \
 -storetype JKS \
 -v

Java keytool options:

-alias – The alias of the key whose password is being changed

-keypass – The current key password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-new – The new key password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-keystore – The keystore file.

-storepass – The keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type JKS.

-v – Verbose

What keytool command do I use to change key password in a PKCS12 keystore?

Unfortunately, the -keypasswd command is not supported for PKCS12 passwords. If you try, you will receive the following error: “keytool error: java.lang.UnsupportedOperationException: -keypasswd commands not supported if -storetype is PKCS12”

Instead, you must import the PKCS12 keystore into a new keystore giving it a new password.

keytool -importkeystore \
 -srckeystore example.p12 \
 -srcstoretype PKCS12 \
 -srcstorepass changed \
 -destkeystore newexample.p12 \
 -deststoretype PKCS12 \
 -deststorepass changedagain \
 -destkeypass changedagain

Note that the deststorepass and destkeypass are the same value. If they are different the keystore will be considered corrupt by most applications using it.

On another note, both a keystore and key in the keystore should always have a password. Many applications cannot handle either a key or keystore with an empty password.

Java keytool options:

-srckeystore – The current keystore file.

-srcstoretype – The current keystore type. Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

-srcstorepass – The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-destkeystore – The new keystore file.

-deststoretype – The new keystore type. Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

-deststorepass – The new keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-destkeypass – The keystore password. This must be included and set to equal the -deststorepass, else the key password will not be updated and will cause a corrupt keystore.

keytool change pkcs12 key password
keytool change pkcs12 key password

Change keystore password with bash script

Remember that each private key must have the same password as the encapsulating keystore for applications to be able to make use of the private key entries. You can use bash or any other scripting language with keystore support to loop through each private key entry in the keystore and change the entry password, and finally change the keystore password. Note that this only works with a JKS keystore, because PKCS12 keystores do not support the -keypasswd flag.

#!/bin/bash
if [ $# -lt 3 ]; then
  echo "Usage : <keystore> <current_password> <new_password>"
  exit 1
else
aliasList="$(keytool -list -v -keystore $1 -storepass $2 | grep "Alias name" | cut -d':' -f2)"
# Change each private key entry password
for a in $aliasList; do
  keytool -keypasswd  -alias $a -keypass $2 -storepass $2 -new $3 -keystore $1
done
# Finally, change the encapsulating keystore password
keytool -storepasswd -keystore $1 -storepass $2 -new $3
fi

Conclusion

Let us know in the comments if you would like to see more examples of how to change a keystore and private key password in different keystore types.

Read all of our blog content.

keytool

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • How to Install ColdFusion on Linux
  • Ubuntu unattended upgrades
  • openssl verify – Verify a certificate and certificate chain
  • NetScaler ADC configuration history
  • Remove CA from Domain in Active Directory

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2023