I cannot change PKCS keystore password using keytool (java 8). When I tried to change the key password:
keytool -keypasswd -keystore keystore.p12 -storetype PKCS12 -storepass oldpass -keypass oldpass -new newpass
keytool error: java.lang.UnsupportedOperationException: -keypasswd commands not supported if -storetype is PKCS12
It means key password cannot be changed for PKCS12 keystore. Then I tried to change the keystore password:
keytool -storepasswd -keystore keystore.p12 -storetype PKCS12 -storepass oldpass -new newpass
Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -new value.
keytool error: java.io.FileNotFoundException: keystore.p12 (Access is denied)
It means, we have to change keystore password and keypassword together. But there is no command to change both. What can I do?
It's unfortunate, but when you lose your keystore, or the password to your keystore, your application is orphaned. The only thing you can do is resubmit your app to the market under a new key.
You can import the PKCS12 file to another PKCS12 where you can give new password for new PKCS12 file. Then you can use the new PKCS12 file or delete the previous one and rename the new file name with the old file name. Its not a straight forward way, but it fulfills the objective.A sample code is given bewlow
keytool -importkeystore -srckeystore DocCA.p12 -srcstoretype PKCS12 -srcstorepass 123456 -destkeystore DocCA2.p12 -deststoretype PKCS12 -deststorepass 11223344
Here, DocCA.p12 is the existing PKCS12 with password 123456 which is exported in the DocCA2.p12 file with password 11223344.
I know the question is about using keytool
, but if that is not an strict requirement, you can use openssl
instead:
Export certs and keys to a temp.pem file without password protection. This will ask you interactively for the decrypt password:
openssl pkcs12 -in keystore.p12 -out temp.pem -nodes
Export from temp.pem file to a new PKCS#12 file. This will ask you interactively for the new encrypt password:
openssl pkcs12 -export -in temp.pem -out keystore-new.p12
Remove the temporary file:
rm temp.pem
⚠️ It is important that you do this in a folder where nobody else has permission to read, because as long as the temp.pem
file exist, the keys inside could be read.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With