55

I have a jks keystore with no password. When I run the command

keytool -list -keystore mykeystore.jks

And it prompts me for the keystore password, I simply hit 'enter'.

Please note that the keystore password IS NOT the default java password of 'changeit'. It is blank

When I try to run

keytool -storepasswd -keystore mykeystore.jks

to change the password to a non blank string. It firsts prompts me for the current password. Simply hitting enter since it is blank says

keytool -storepasswd -keystore mykeystore.jks
Enter keystore password:
Keystore password is too short - must be at least 6 characters

Just to confirm with everyone that the password is not 'changeit'

keytool -storepasswd -keystore mykeystore.jks
Enter keystore password:  changeit
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

Any idea how I can change the keystore password if the existing password is blank?

Matthew Kirkley
  • 4,138
  • 5
  • 31
  • 33

5 Answers5

104

If you're trying to do stuff with the Java default system keystore (cacerts), then the default password is changeit.

You can list keys without needing the password (even if it prompts you) so don't take that as an indication that it is blank.

(Incidentally who in the history of Java ever has changed the default keystore password? They should have left it blank.)

Timmmm
  • 88,195
  • 71
  • 364
  • 509
  • 2
    "You can list keys without needing the password" saved my day :) I find that we can always read the `Certificate Entry` from any `keystore` file without entering `keystore` password – Alireza Fattahi Sep 27 '17 at 13:16
  • 1
    when I enter blank the list works but not when I enter changeit, making me think what is the prompt asking me – Snedden27 Oct 18 '19 at 13:57
41

Add -storepass to keytool arguments.

keytool -storepasswd -storepass '' -keystore mykeystore.jks

But also notice that -list command does not always require a password. I could execute follow command in both cases: without password or with valid password 

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
ijrandom
  • 745
  • 6
  • 9
  • 3
    Thanks for your response. The password indeed wasn't blank! I didn't know that about the -list command not requiring a password. – Matthew Kirkley Feb 26 '13 at 16:37
  • 32
    That's not working for me 'keytool -storepasswd -storepass '' -keystore mykeystore.jks' = keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect – the_marcelo_r Aug 08 '13 at 20:24
  • 2
    @theMarceloR Your password probably isn't actually blank. – duct_tape_coder Dec 28 '18 at 20:25
  • 1
    @theMarceloR and anyone else - on Windows command-line use "" (double quotes) for empty string instead of single-quotes. – JohannesB Mar 19 '19 at 05:56
3

Mine did actually have no password (rather than a blank password) so the solution above didn't work. The solution was to import the keystore to a new keystore:

keytool -importkeystore -srckeystore KeystoreWithNoPassword.jks -destkeystore NewKeystore.jks -deststorepass newPassword
collers
  • 61
  • 2
  • If you have a new question, please ask it by clicking the [Ask Question](https://stackoverflow.com/questions/ask) button. Include a link to this question if it helps provide context. - [From Review](/review/late-answers/32184874) – Japhei Jul 09 '22 at 20:04
2

On my system the password is 'changeit'. On blank if I hit enter then it complains about short password. Hope this helps

enter image description here

Karan
  • 752
  • 2
  • 13
  • 34
0

this way worked better for me:

echo y | keytool -storepasswd -storepass 123456 -keystore /tmp/IT-Root-CA.keystore -import -alias IT-Root-CA -file /etc/pki/ca-trust/source/anchors/IT-Root-CA.crt

machine running:

[root@rhel80-68]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.1 (Ootpa)
Eduardo Cerqueira
  • 836
  • 6
  • 5