kaikramer
commented
4 years ago My keystore is password-protected
That sounds as if the keystore password is optional. It is not. And - as we are talking about JKS/JCEKS here - there is no real protection provided by the password. You can simply remove and replace it.
If you open a keystore in keytool without entering a password, then you are basically in a read-only mode. You can list the content but you cannot change anything. But that is just an artificial restriction of keytool, not one of the JKS keystore format. If you have forgotten the keystore password, you can use a simple Java program to "reset" the keystore password (something like this: https://gist.github.com/zach-klippenstein/4631307).
If you open a keystore in KSE without entering a password, there are two possible reasons:
- You want to save time because you just want to check something like the validity of a certificate. Then there is no difference between keytool and KSE (read-only mode). If you want to actually modify the keystore, it would have been easier/faster to enter the password once at the beginning.
- You don't know the keystore password. Then if you want to change something you have to set a new keystore password and obviously you cannot enter the old password here. With keytool you would have to execute the Java program mentioned above. So, again, not much difference between keytool and KSE, it's just a bit more complicated with keytool.
My keystore is password-protected, but it's possible to open it without entering the passphrase (skips the integrity check according description in #122).
With keytool you must always entering the old password:
keytool -storepasswd -keystore /opt/java/java11/lib/security/cacerts Enter keystore password: changeit New keystore password: new-password Re-enter new keystore password: new-password