Should keystore password be same as PKCS12 certificate password?

user5478656 picture user5478656 · Sep 9, 2016 · Viewed 8.2k times · Source

I am trying to import PKCS12 certificate using keytool in java. It works fine only when the keystore password is the same as certificate password. Is it mandatory to use the PKCS12 certificate password for keystore as well?

Answer

Leon picture Leon · Sep 9, 2016

From the documentation of keytool (only options relevant to this question are listed):

keytool -importkeystore [-srcstorepass srcstorepass] [-deststorepass deststorepass] {-srcalias srcalias {-destalias destalias} [-srckeypass srckeypass]} [-destkeypass destkeypass] ...

Imports a single entry or all entries from a source keystore to a destination keystore.

When the -srcalias option is provided, the command imports the single entry identified by the alias to the destination keystore. [...] If the source entry is protected by a password, then srckeypass is used to recover the entry. If srckeypass is not provided, then the keytool command attempts to use srcstorepass to recover the entry. If srcstorepass is either not provided or is incorrect, then the user is prompted for a password. The destination entry is protected with destkeypass. If destkeypass is not provided, then the destination entry is protected with the source entry password. For example, most third-party tools require storepass and keypass in a PKCS #12 keystore to be the same. In order to create a PKCS #12 keystore for these tools, always specify a -destkeypass to be the same as -deststorepass.

If the -srcalias option is not provided, then all entries in the source keystore are imported into the destination keystore. [...] If the source entry is protected by a password, then srcstorepass is used to recover the entry. If srcstorepass is either not provided or is incorrect, then the user is prompted for a password. [...] The destination entry is protected with the source entry password.

So, whether it is mandatory to use the PKCS12 certificate password for keystore as well depends on the application that will try to read the keystore.