What is the significance of "key password" in keystore using keytool

Question

I used following command to generate the jks for my web app.

keytool -genkey -keyalg RSA -alias my-app -validity 10800 -keysize 2048 -sigalg SHA1withRSA -keystore myapp.jks

This command prompted some questions as below:

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  GS
What is the name of your organizational unit?
  [Unknown]:  XX
What is the name of your organization?
  [Unknown]:  YY
What is the name of your City or Locality?
  [Unknown]:  ZZ
What is the name of your State or Province?
  [Unknown]:  AA
What is the two-letter country code for this unit?
  [Unknown]:  BB
Is CN=GS, OU=XX, O=YY, L=ZZ, ST=AA, C=BB correct?
  [no]:  yes

Enter key password for <my-app> //Why this password is required???
        (RETURN if same as keystore password):  

Tomcat is able to read this keystore only when both keystore password [first time prompted] and key password. When I use some other password in place of "key password" tomcat fails to start due to the keystore file.
My question is what is the significance of key password.

P.S: I seen this link. Here they say:

Press RETURN when prompted for the key password (this action makes the key password the same as the KeyStore password).

If both passwords must be same then any idea what is the significance of asking it twice?

Answer 1

As the JavaDoc states

The keypass value that you are prompted for specifies a password for the private key about to be generated. You will always need this password in order to access the keystore entry containing that key. The entry doesn't have to have its own password. When you are prompted for the key password, you are given the option of letting it be the same as the keystore password.

A keystore can contain multiple keys and each of these keys can only be accessed using password. So keytool is just giving you an option if you wish to keep the key password same as the keystore you are creating.

Answer 2

As already answered by @Maas, keyPassword is required to access the key entry that is stored in the KeyStore.

The way it happens is first KeyStore Password is used to access/unlock the KeyStore and then keyPassword is used to decrypt the key entry that is there inside that KeyStore.

Generally various implementations/use of ssl consider using same password for KeyStorePassword and keyPassword

That is what is the case in tomcat also. If you see the document tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html they have clearly stated that "your private key password and keystore password should be the same. If they differ, you will get an error along the lines of java.io.IOException: Cannot recover key, as documented in Bugzilla issue 38217, which contains further references for this issue"

Even JSSE implementation wants KeyStorePassword and KeyPassword to be same.

https://access.redhat.com/documentation/en-US/Fuse_MQ_Enterprise/7.1/html/Security_Guide/files/SSL-SysProps.html

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#KeyManagerFactory

Answer 3

You can have many keys in one keystore, each with their own password (or same as the keystore itself, if you chose it to be). That's your decision, with how much you care about the security of the keys.