How to change the key password from an PKCS12 keystore

Question

I am trying to change the password of a certificate stored in an p12 keystore. I managed to change the keystore password by using the ikeycmd, but for the keypass nothing seems to work. This is the command I was trying:

keytool -keypasswd -storetype PKCS12 -keystore $KEYSTORE_FILE -alias $KEY_ALIAS -keypass $KEY_PASSWORD -new $new_pass -storepass $store_pass

and I am receiving the following output: keytool error: java.lang.UnsupportedOperationException: -keypasswd commands not supported if -storetype is PKCS12

I tried to run the command without the -storetype PKCS12 option and I got: keytool error (likely untranslated): java.io.IOException: Invalid keystore format

Can anyone, please, help? Thanks.

Answer 1

As per the internet standard, these are things you should follow when creating/dealing with a PCKS12 keystore:

1. The PKCS12 should contain only 1 keypair entry, i.e., a private key associated with a certificate chain.
2. The key password of the only entry is the same as the keystore password.

Java follows these rules too. So that's why the error when you try to change the key password when you provide the store type as PKCS12.

So ideally you are only supposed to change the keystore password for a PKCS12 keystore. You shouldn't be changing the key password.

But if the pkcs12 keystore doesn't follow the above rules, and you are trying to correct it, and unsuccessful to do so by using java keytool command, I recommend trying to fix it using keystore-explorer (a GUI tool to interact with any keystore).

It has an option to change the key password of the entry.