How to autofill source keystore password when importing pkcs12 to keystore

Question

I can import a p12 keystore to keystore. With the storepass, I can pre-fill the passwort of the destination keystore.

keytool -importkeystore -srckeystore kafka.server.keystore.p12 -srcstoretype pkcs12 -destkeystore kafka.server.keystore.jks -storepass $PWD

However, I am still asked for the source keystore password:

Enter source keystore password:

How do I prevent that?

Answer 1

Use -srcstorepass . Also better use -deststorepass (which is documented) not -storepass (which just happens to work in the code). See keytool -importkeystore -help.

Note if the p12 contains a privatekey-and-cert (as it usually does) and you make the dest=JKS storepass different from the src=P12 combined-store&key-pass, the privatekey within the JKS still has its key(entry) pass the same as the p12 source. This means any program wanting to use the privatekey from the JKS must support different values for storepass and keypass, and some don't.