16

I cannot change PKCS keystore password using keytool (java 8). When I tried to change the key password:

keytool -keypasswd -keystore keystore.p12 -storetype PKCS12 -storepass oldpass -keypass oldpass -new newpass
keytool error: java.lang.UnsupportedOperationException: -keypasswd commands not supported if -storetype is PKCS12

It means key password cannot be changed for PKCS12 keystore. Then I tried to change the keystore password:

keytool -storepasswd -keystore keystore.p12 -storetype PKCS12 -storepass oldpass -new newpass
Warning:  Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -new value.
keytool error: java.io.FileNotFoundException: keystore.p12 (Access is denied)

It means, we have to change keystore password and keypassword together. But there is no command to change both. What can I do?

Tamal Kanti Nath
  • 914
  • 2
  • 10
  • 18

2 Answers2

29

You can import the PKCS12 file to another PKCS12 where you can give new password for new PKCS12 file. Then you can use the new PKCS12 file or delete the previous one and rename the new file name with the old file name. Its not a straight forward way, but it fulfills the objective.A sample code is given bewlow

keytool -importkeystore -srckeystore DocCA.p12 -srcstoretype PKCS12 -srcstorepass 123456 -destkeystore DocCA2.p12 -deststoretype PKCS12 -deststorepass 11223344

Here, DocCA.p12 is the existing PKCS12 with password 123456 which is exported in the DocCA2.p12 file with password 11223344.

Saqib Rezwan
  • 1,382
  • 14
  • 20
  • This is a workaround. I have implemented for the time being as there is no other options. – Tamal Kanti Nath Jul 09 '15 at 08:26
  • Yes, If I find a proper soluation, I will let you know. Please do the same for me. Cheers :) – Saqib Rezwan Jul 09 '15 at 08:35
  • 4
    We found that his leads to corrupt pkcs12 file, as per: http://www.herongyang.com/PKI/Intermediate-CA-OpenSSL-pkcs12-Decrypt-Error.html , adding "-destkeypass 11223344" corrects de problem. – erny May 19 '16 at 20:41
  • Before posting, I tested the above command line myself. It worked fine (opened the new pkcs12 with new password). Do not know that, it corrupts or not but thanks for pointing out new point. Cheers !!! – Saqib Rezwan May 20 '16 at 04:07
  • 1
    if the password that you specify contains any special characters or spaces make sure to include them in "". eg: -deststorepass "Abc23344&" – Asanga Dewaguru Mar 02 '17 at 05:38
15

I know the question is about using keytool, but if that is not an strict requirement, you can use openssl instead:

  1. Export certs and keys to a temp.pem file without password protection. This will ask you interactively for the decrypt password:

    openssl pkcs12 -in keystore.p12 -out temp.pem -nodes

  2. Export from temp.pem file to a new PKCS#12 file. This will ask you interactively for the new encrypt password:

    openssl pkcs12 -export -in temp.pem -out keystore-new.p12

  3. Remove the temporary file:

    rm temp.pem

⚠️ It is important that you do this in a folder where nobody else has permission to read, because as long as the temp.pem file exist, the keys inside could be read.

Yajo
  • 5,808
  • 2
  • 30
  • 34