Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should keystore password be same as PKCS12 certificate password?

I am trying to import PKCS12 certificate using keytool in java. It works fine only when the keystore password is the same as certificate password. Is it mandatory to use the PKCS12 certificate password for keystore as well?

like image 728
user5478656 Avatar asked Sep 09 '16 05:09

user5478656


People also ask

Is p12 and JKS same?

The biggest difference between JKS and PKCS12 is that JKS is a format specific to Java, while PKCS12 is a standardized and language-neutral way of storing encrypted private keys and certificates.

What is the password for keystore?

In the Enter keystore password prompt, type the current password, which by default is changeit, and press Enter. The new password is saved to cacerts.

Is keystore password important?

The keystore password is sensitive information, and keeping it secure is critical to the security of your realm server.

What is default password for Java Keystore?

By default, Java has a keystore file located at JAVA_HOME/jre/lib/security/cacerts. We can access this keystore using the default keystore password changeit.


1 Answers

From the documentation of keytool (only options relevant to this question are listed):

keytool -importkeystore [-srcstorepass srcstorepass] [-deststorepass deststorepass] {-srcalias srcalias {-destalias destalias} [-srckeypass srckeypass]} [-destkeypass destkeypass] ...

Imports a single entry or all entries from a source keystore to a destination keystore.

When the -srcalias option is provided, the command imports the single entry identified by the alias to the destination keystore. [...] If the source entry is protected by a password, then srckeypass is used to recover the entry. If srckeypass is not provided, then the keytool command attempts to use srcstorepass to recover the entry. If srcstorepass is either not provided or is incorrect, then the user is prompted for a password. The destination entry is protected with destkeypass. If destkeypass is not provided, then the destination entry is protected with the source entry password. For example, most third-party tools require storepass and keypass in a PKCS #12 keystore to be the same. In order to create a PKCS #12 keystore for these tools, always specify a -destkeypass to be the same as -deststorepass.

If the -srcalias option is not provided, then all entries in the source keystore are imported into the destination keystore. [...] If the source entry is protected by a password, then srcstorepass is used to recover the entry. If srcstorepass is either not provided or is incorrect, then the user is prompted for a password. [...] The destination entry is protected with the source entry password.

So, whether it is mandatory to use the PKCS12 certificate password for keystore as well depends on the application that will try to read the keystore.

like image 135
Leon Avatar answered Sep 17 '22 18:09

Leon