I am trying to change the password of the private key in my keystore. Doing the following:
keytool -keypasswd -alias <alias name> -keystore <keystore path>
I get:
Enter keystore password: <keystore password>
Which returns:
keytool error: java.lang.Exception: Alias <ltsabreskey> has no key
This keystore was generated using a certificate that was extracted from a different keystore for which the password was lost. I'm trying to push an update to an existing app in the Play Store, can this be done with a newly generated keystore from the extracted certificate?
NOTE: This answer applies to JKS
and JCEKS
keystore types and NOT PKCS12
.
A keystore can hold a secret-key
, key-pair
(private key + certificate chain) or a certificate
. You can identify these types by the these names respectively when you -list
keystore -- SecretKeyEntry
, PrivateKeyEntry
and trustedCertEntry
.
Of these the SecretKeyEntry and PrivateKeyEntry can be protected with their own password (could be different from the keystore password), if the keystore type is JKS
or JCEKS
. You cannot have different keystore and key password for PKCS12
keystore type, the key password has to be the same as the keystore password.
Now, you mentioned in your last statement that the keystore you were working on was created with a certificate that was exported from a different keystore. There are two different use-cases to adding a certificate to a keystore. When you want to trust a particular certificate, you can add just the certificate itself, this is called the truststedCertEntry
. Or you can add/update the certificate for a key-pair. Which means the certificate being added will be associated with a private key, this is a PrivateKeyEntry
.
The alias you are working with is a trustedCertEntry
, which cannot have a keypass
. So when you supply the keypasswd
command against this alias, it will through you the 'no key' error, which is what you are seeing.
To answer your specific problem, you cannot do the action you are doing without the private key, you extracted the certificate from the original keystore, but it doesn't have the private key, and you cannot extract the private key without the password. So, in short, you need to recover your old keystore, if you are unable to, follow the play store guidelines on what to do if the original keystore is not recoverable.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With