Login/Register
How to change Java Keystore(JKS) keystore and alias password so that they work
Asked Answered
Solved javaspring-bootkeystoreexplorerjks
L

1

6

I've created a global JKS that has "changeme" as the keystore password. I created the JKS using the Keystore Explorer.

The idea behind using the global JKS is that apps can pull down the JKS from S3 and then reset the JKS with their own string password. We do alot of SpringBoot APIs and we use the JKSs to secure Tomcat in the container so we can get HTTPS connected.

But here's the problem I'm running into, when I change the JKS keystore password I start getting java.security.UnrecoverableKeyException: Cannot recover key errors being thrown.

In the Keystore Explorer I didn't specify a password for the alias. When I go into the Keystore Explorer to change the alias password, it accepts "changeme" as the password. So, I assume the Keystore Explorer is automatically using changeme as the password since I supplied it for the JKS keystore password.

Admittedly, I'm no expert with using JKS and understanding the intricacies of security but this one has me stumped.

I've also tried changing both the keystore password with the Keytool using the following command:

keytool -storepasswd -keystore myJKS.jks

and

keytool -keypasswd -alias myalias -keystore myJKS.jks

But when I try to change the alias I get:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

What am I doing wrong?

Thanks

Lightness answered 18/6, 2019 at 19:5 Comment(0)
M
8

The error you are seeing is because you might have provided wrong keystore-password in the command.

A basic understanding of how and what JKS is. A JKS (Java KeyStore) is basically a file that protects secret keys (symmetric keys), key pairs (asymmetric keys) and certificates. The way it protects them is by a password, this password is called a keystore-password. And the keys within the JKS file can also be protected individually, which means they can have their own password, which is called a key-password.

The way to change the keystore-password:

keytool -storepasswd -keystore [KEYSTORE] -storepass [OLD_KEYSTORE_PASSWORD] -new [NEW_KEYSTORE_PASSWORD]

The way to change the key-password:

keytool -keypasswd -keystore [KEYSTORE] -storepass [KEYSTORE_PASSWORD] -alias [ALIAS] -keypass [OLD_KEY_PASSWORD] -new [NEW_KEY_PASSWORD]

These are the properties related to securing the spring-boot application. You have to define the keystore-password and key-password in those properties.

server.ssl.ciphers= # Supported SSL ciphers.
server.ssl.client-auth= # Client authentication mode.
server.ssl.enabled=true # Whether to enable SSL support.
server.ssl.enabled-protocols= # Enabled SSL protocols.
server.ssl.key-alias= # Alias that identifies the key in the key store.
server.ssl.key-password= # Password used to access the key in the key store.
server.ssl.key-store= # Path to the key store that holds the SSL certificate (typically a jks file).
server.ssl.key-store-password= # Password used to access the key store.
server.ssl.key-store-provider= # Provider for the key store.
server.ssl.key-store-type= # Type of the key store.
server.ssl.protocol=TLS # SSL protocol to use.
server.ssl.trust-store= # Trust store that holds SSL certificates.
server.ssl.trust-store-password= # Password used to access the trust store.
server.ssl.trust-store-provider= # Provider for the trust store.
server.ssl.trust-store-type= # Type of the trust store.

You can find all the spring-boot properties in the documentation here.

If you look at the properties, there is server.ssl.key-store-password and server.ssl.key-password. You can ask the users to set those two values after they change the global JKS password.

Magdau answered 19/6, 2019 at 14:34 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.