Menu
I am trying to import PKCS12 certificate using keytool in java. It works fine only when the keystore password is the same as certificate password. Is it mandatory to use the PKCS12 certificate password for keystore as well?
728
The biggest difference between JKS and PKCS12 is that JKS is a format specific to Java, while PKCS12 is a standardized and language-neutral way of storing encrypted private keys and certificates.
In the Enter keystore password prompt, type the current password, which by default is changeit, and press Enter. The new password is saved to cacerts.
The keystore password is sensitive information, and keeping it secure is critical to the security of your realm server.
By default, Java has a keystore file located at JAVA_HOME/jre/lib/security/cacerts. We can access this keystore using the default keystore password changeit.
From the documentation of keytool (only options relevant to this question are listed):
keytool -importkeystore [-srcstorepass srcstorepass] [-deststorepass deststorepass] {-srcalias srcalias {-destalias destalias} [-srckeypass srckeypass]} [-destkeypass destkeypass] ...
Imports a single entry or all entries from a source keystore to a destination keystore.
When the -srcalias option is provided, the command imports the single entry identified by the alias to the destination keystore. [...] If the source entry is protected by a password, then srckeypass is used to recover the entry. If srckeypass is not provided, then the keytool command attempts to use srcstorepass to recover the entry. If srcstorepass is either not provided or is incorrect, then the user is prompted for a password. The destination entry is protected with destkeypass. If destkeypass is not provided, then the destination entry is protected with the source entry password. For example, most third-party tools require storepass and keypass in a PKCS #12 keystore to be the same. In order to create a PKCS #12 keystore for these tools, always specify a -destkeypass to be the same as -deststorepass.
If the -srcalias option is not provided, then all entries in the source keystore are imported into the destination keystore. [...] If the source entry is protected by a password, then srcstorepass is used to recover the entry. If srcstorepass is either not provided or is incorrect, then the user is prompted for a password. [...] The destination entry is protected with the source entry password.
So, whether it is mandatory to use the PKCS12 certificate password for keystore as well depends on the application that will try to read the keystore.
135
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
