I cannot change PKCS keystore password using keytool (java 8). When I tried to change the key password: <pre class="prettyprint"><code>keytool -keypasswd -keystore keystore.p12 -storetype PKCS12 -storepass oldpass -keypass oldpass -new newpass keytool error: java.lang.UnsupportedOperationException: -keypasswd commands not supported if -storetype is PKCS12 </code></pre> It means key password cannot be changed for PKCS12 keystore. Then I tried to change the keystore password: <pre class="prettyprint"><code>keytool -storepasswd -keystore keystore.p12 -storetype PKCS12 -storepass oldpass -new newpass Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -new value. keytool error: java.io.FileNotFoundException: keystore.p12 (Access is denied) </code></pre> It means, we have to change keystore password and keypassword together. But there is no command to change both. What can I do?

You can import the PKCS12 file to another PKCS12 where you can give new password for new PKCS12 file. Then you can use the new PKCS12 file or delete the previous one and rename the new file name with the old file name. Its not a straight forward way, but it fulfills the objective.A sample code is given bewlow <pre class="prettyprint"><code>keytool -importkeystore -srckeystore DocCA.p12 -srcstoretype PKCS12 -srcstorepass 123456 -destkeystore DocCA2.p12 -deststoretype PKCS12 -deststorepass 11223344 </code></pre> Here, DocCA.p12 is the existing PKCS12 with password 123456 which is exported in the DocCA2.p12 file with password 11223344.

I know the question is about using <code>keytool</code>, but if that is not an strict requirement, you can use <code>openssl</code> instead: <ol> <li> Export certs and keys to a temp.pem file without password protection. This will ask you interactively for the decrypt password: <pre class="prettyprint"><code>openssl pkcs12 -in keystore.p12 -out temp.pem -nodes </code></pre> </li> <li> Export from temp.pem file to a new PKCS#12 file. This will ask you interactively for the new encrypt password: <pre class="prettyprint"><code>openssl pkcs12 -export -in temp.pem -out keystore-new.p12 </code></pre> </li> <li> Remove the temporary file: <pre class="prettyprint"><code>rm temp.pem </code></pre> </li> </ol> ⚠️ It is important that you do this in a folder where nobody else has permission to read, because as long as the <code>temp.pem</code> file exist, the keys inside could be read.

how to change PKCS12 keystore password using keytool?

Tags:

keytool

pkcs#12

I cannot change PKCS keystore password using keytool (java 8). When I tried to change the key password:

keytool -keypasswd -keystore keystore.p12 -storetype PKCS12 -storepass oldpass -keypass oldpass -new newpass
keytool error: java.lang.UnsupportedOperationException: -keypasswd commands not supported if -storetype is PKCS12

It means key password cannot be changed for PKCS12 keystore. Then I tried to change the keystore password:

keytool -storepasswd -keystore keystore.p12 -storetype PKCS12 -storepass oldpass -new newpass
Warning:  Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -new value.
keytool error: java.io.FileNotFoundException: keystore.p12 (Access is denied)

It means, we have to change keystore password and keypassword together. But there is no command to change both. What can I do?

925

asked Jul 05 '15 08:07

Tamal Kanti Nath

2 Answers

You can import the PKCS12 file to another PKCS12 where you can give new password for new PKCS12 file. Then you can use the new PKCS12 file or delete the previous one and rename the new file name with the old file name. Its not a straight forward way, but it fulfills the objective.A sample code is given bewlow

keytool -importkeystore -srckeystore DocCA.p12 -srcstoretype PKCS12 -srcstorepass 123456 -destkeystore DocCA2.p12 -deststoretype PKCS12 -deststorepass 11223344

Here, DocCA.p12 is the existing PKCS12 with password 123456 which is exported in the DocCA2.p12 file with password 11223344.

125

answered Oct 19 '22 07:10

Saqib Rezwan

I know the question is about using keytool, but if that is not an strict requirement, you can use openssl instead:

Export certs and keys to a temp.pem file without password protection. This will ask you interactively for the decrypt password:
```
openssl pkcs12 -in keystore.p12 -out temp.pem -nodes
```
Export from temp.pem file to a new PKCS#12 file. This will ask you interactively for the new encrypt password:
```
openssl pkcs12 -export -in temp.pem -out keystore-new.p12
```
Remove the temporary file:
```
rm temp.pem
```

⚠️ It is important that you do this in a folder where nobody else has permission to read, because as long as the temp.pem file exist, the keys inside could be read.

answered Oct 19 '22 08:10

Yajo

Related questions
                            
                                intelliJ idea java certificate
                            
                                Cannot update release APK using Google Play app signing upload certificate (with original keystore)
                            
                                Getting "No certificate matches private key"
                            
                                keytool -list shows different aliases for p12 keystore, depending on whether you provide the password
                            
                                Keystore password is too short - must be at least 6 characters for import
                            
                                Error while Importing public certificate to a keystore
                            
                                Generate a key with keytool, in a non-interactive way
                            
                                How to export public key from .jks file using Keytool?
                            
                                What is the significance of "key password" in keystore using keytool
                            
                                Verify certificate against Java certificate store via CLI
                            
                                PFX to JKS keytool conversion: Alias <*> does not exist
                            
                                Android KeytoolException: Failed to read key AndroidDebugKey lengthTag=109, too big
                            
                                SSL Exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
                            
                                Create java keystore from private key and CA certificate bundle
                            
                                Newbie keytool command -- how to update cert already added to keystore?
                            
                                Keytool change key password using 'keypasswd' throws 'Alias has no key' error
                            
                                How to create keystore and truststore using self-signed certificate?
                            
                                java keytool with opensc pkcs#11 provider only works with debug option enabled
                            
                                Problem running my signed, release keystore in Eclipse
                            
                                Generating hash string for google sms retriever api - 'xxd' is not recognized as an internal or external command

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With