How do I get into a non-password protected Java keystore or change the password?

Asked 27/12, 2011 at 1:14 Answered 1/7, 2021 at 17:51

133

I'm trying to import a trusted certificated into the Java cacerts keystore, but I have a problem. I tried to list existing trusted certificates and it seems that the keystore isn't password protected.

$ keytool -list -keystore cacerts
Enter keystore password:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 76 entries

I tried to import a trusted certificate:

$ keytool -importcert -alias "JiraCert" -file /root/c9ssl.crt -keystore /etc/java-6-sun/security/cacerts
Enter keystore password:  
Keystore password is too short - must be at least 6 characters
Enter keystore password:  
Keystore password is too short - must be at least 6 characters
Enter keystore password:  
Keystore password is too short - must be at least 6 characters
Too many failures - try later

I also tried to change the password from "none" to something:

$ keytool -storepasswd -keystore cacerts.back
Enter keystore password:
Keystore password is too short - must be at least 6 characters
Enter keystore password:
Keystore password is too short - must be at least 6 characters
Enter keystore password:
Keystore password is too short - must be at least 6 characters
Too many failures - try later

Tinsley answered 27/12, 2011 at 1:14 Comment(0)

214

which means that cacerts keystore isn't password protected

That's a false assumption. If you read more carefully, you'll find that the listing was provided without verifying the integrity of the keystore because you didn't provide the password. The listing doesn't require a password, but your keystore definitely has a password, as indicated by:

In order to verify its integrity, you must provide your keystore password.

Java's default cacerts password is "changeit", unless you're on a Mac, where it's "changeme" up to a certain point. Apparently as of Mountain Lion (based on comments and another answer here), the password for Mac is now also "changeit", probably because Oracle is now handling distribution for the Mac JVM as well.

Cota answered 27/12, 2011 at 1:37 Comment(5)

Thanks! I could not figure out why the password was!! – Flyblow 24/5, 2012 at 16:22

Yea thanks. What a terrible default password. I couldn't figure out what it was either. I just deleted the cacerts file and replaced it with my own. – Kyles 15/8, 2012 at 23:37

As datasmid says below, the Mac password if you are running Mountain Lion is also "changeit" – Emeric 16/4, 2013 at 16:40

"Java's default cacerts password is "changeit"": +1000 if I could! Thanks Stackoverflow! – Leukorrhea 4/3, 2014 at 9:8

Now default password is "android" – Melodiemelodion 1/4 at 5:11

The password of keystore by default is: "changeit". I functioned to my commands you entered here, for the import of the certificate. I hope you have already solved your problem.

Dragging answered 22/8, 2013 at 18:11 Comment(0)

In case if dealing with Google sign-in for android, the password for the debug keystore is android, as specified in here: https://developers.google.com/android/guides/client-auth

Sabella answered 1/7, 2021 at 17:51 Comment(0)

Mac Mountain Lion has the same password now it uses Oracle.

Swanger answered 21/11, 2012 at 13:2 Comment(0)

Getting into a non-password protected Java keystore and changing the password can be done with a help of Java programming language itself.

That article contains the code for that:

thetechawesomeness.ideasmatter.info

Bibliofilm answered 5/10, 2019 at 13:36 Comment(0)

Recommended topics

Hot tags