1/30/21

How to Change JKS KeyStore Private Key Password

Use following keytool command to change the key store password

>keytool  -storepasswd  -new [new password ]  -keystore  [path to key store]

As an example, if you are changing password of jvkeystore.jks file.

$ keytool -storepasswd -new newjvkeystore -keystore jvkeystore.jks

Enter keystore password: 

Use following keytool command to change private key password

>keytool -keypasswd  -alias [Alias name for private key]  -keystore [path to key store]

Then it would promote for key store password,  private key password and new private key passwords.

As an example,

$ keytool -keypasswd -alias jvkeystore -keystore jvkeystore.jks 

Enter keystore password: 

Enter key password for <jvkeystore>

New key password for <jvkeystore>: 

Re-enter new key password for <jvkeystore>: 

If you are not know the alias of private key, you can find it by listing the keystore details.    You can look for PrivateKeyEntry

$ keytool -list -keystore jvkeystore.jks 

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 37 entries


jvkeystore.cert, Feb 26, 2010, trustedCertEntry, 

Certificate fingerprint (SHA1): 34:2F:8E:60:4F:95:2C:74:10:0A:62:4B:DC:35:51:91:4C:B1:AE:BD

jvkeystore, May 26, 2014, PrivateKeyEntry, 

Certificate fingerprint (SHA1): 6B:F8:E1:36:EB:36:D4:A5:6E:A0:5C:7A:E4:B9:A4:5B:63:BF:97:5D

Common Java Keytool Keystore Commands

Java Keytool Commands for Creating and Importing keystore files:

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

Generate a Java keystore and key pair

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks  -keysize 2048

Generate a certificate signing request (CSR) for an existing Java keystore

keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

Import a root or intermediate CA certificate to an existing Java keystore

keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

Import a signed primary certificate to an existing Java keystore

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

Generate a keystore and self-signed certificate

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048


Java Keytool Commands for Validation of Keys

If you need to check the information within a certificate, or Java keystore, use these commands.

Check a stand-alone certificate

keytool -printcert -v -file mydomain.crt

Check which certificates are in a Java keystore

keytool -list -v -keystore keystore.jks

Check a particular keystore entry using an alias

keytool -list -v -keystore keystore.jks -alias mydomain


Other Useful Java Keytool Commands

Delete a certificate from a Java Keytool keystore

keytool -delete -alias mydomain -keystore keystore.jks

Change a Java keystore password

keytool -storepasswd -new new_storepass -keystore keystore.jks

Export a certificate from a keystore

keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

List Trusted CA Certs

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Import New CA into Trusted Certs

keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

Import PFX file into java keystore

keytool.exe -importkeystore -srckeystore winkey.pfx -srcstoretype pkcs12 -destkeystore winserver.keystore -deststoretype JKS

Convert PFX Certificate to JKS, P12, CRT for Java Keystore

 all you need is OpenSSL and Java 7+!

First, let's generate a key from the PFX file; this key is later used for p12 keystore.

openssl pkcs12 -in example.pfx -nocerts -out example.key  


Second command is almost the same, but it is about nokey and a crt this time to export the Certificates:

openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.crt  


Now, we have a key and and a crt file. The next step is to create a truststore, like so:

​keytool -import -file example.crt -alias exampleCA -keystore truststore.jks

For the question: "Do you trust this certificate?" answer "yes," so it is then added in the truststore.

If you only need a truststore, you can stop here.


The last step is to create a keystore, like so:

openssl pkcs12 -export -in example.crt -inkey example.key -certfile example.crt -name "examplecert" -out keystore.p12

​This p12 keystore is enough in many cases. However, if you still need a JKS keystore, you need one additional command:

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS


How to Change JKS KeyStore Private Key Password

Use following keytool command to change the key store password >keytool  -storepasswd  -new [new password ]  -keystore  [path to key stor...