OpenJDK keytool password

java keytool jsse
Jae Kim picture Jae Kim · Jul 2, 2019 · Viewed 11k times · Source

I am trying to register a corporate certificate for https connection in OpenJDK

I ran the following command in OpenJDK verion 8. It asked me to enter in the password. The default password for Oracle JDK is "changeit", but it doesn't work with OpenJDK

I have tried to use the password changeit but it didn't work.

OpenJDK 8:

D:\java8\bin\keytool.exe -keystore "D:\java8\jre\lib\security\cacerts" -importcert -alias sds -file C:\Users\SDS\SDS.crt

OpenJDK version 11:

D:\jdk-11.0.2\lib\security>D:\jdk-11.0.2\bin\keytool.exe -keystore D:\jdk-11.0.2\lib\security\cacerts -importcert -alias sds -file C:\Users\SDS\SDS.crt

OpenJDK 8 :

keytool 오류: java.io.IOException: Keystore was tampered with, or password was incorrect

OpenJDK version 11, the same problem occurs:

Warning: use -cacerts option to access cacerts keystore
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was

Answer

βξhrαng picture βξhrαng · Jul 2, 2019

For OpenJDK 8, first double check the password:

cd D:\java8\jre\lib\security
keytool -list -keystore cacerts -storepass changeit

If it continues to give you the same error, find the exact version of your Java 8 installation and download the corresponding ZIP archive from AdoptOpenJDK (e.g. OpenJDK8U-jre_x64_windows_hotspot_8u212b04.zip).

Extract the cacerts file (lib/security/cacerts) and using a binary diff tool (e.g. fc) compare the contents of the cacerts file from the downloaded archive to your local version. If they are not identical, it is possible that your D:\java8\jre\lib\security\cacerts file has been modified.

You can follow a similar procedure for validating the OpenJDK 11's cacerts file.

Also: you don't need to import the custom certificates into the the original D:\java8\jre\lib\security\cacerts file. I personally rarely do that. Instead, keep the original but create a copy of it in a custom folder and add your corporate certificates to that. In your case, you can copy the cacerts file from the ZIP file and move it to your home directory and add your corporate certificates to that, as you don't know the password for D:\java8\jre\lib\security\cacerts.

Then when you run a Java program, configure it to use your custom cacerts file instead of the default cacerts file: 

java -Djavax.net.ssl.trustStore=path/to/custom/cacerts
     -Djavax.net.ssl.trustStorePassword=changeit
     ...

One more thing: ask your administrator -- maybe he has deliberately changed the password for the cacerts file.

Related questions

How to add server certificate into java application in eclipse

I've got a server application which uses: import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLServerSocketFactory; import javax.net.ssl.SSLSocket; This is a java application, which is a server itself - I'm not using any virtual servers and …

Read More
Unable to find valid certification path to requested target - error even after cert imported

I have a Java client trying to access a server with a self-signed certificate. When I try to Post to the server, I get the following error: unable to find valid certification path to requested target Having done some research …

Read More
How do I find out what keystore my JVM is using?

I need to import a certificate into my JVM keystore. I am using the following: keytool -import -alias daldap -file somecert.cer so I would need to probably change my call into something like: keytool -import -alias daldap -file somecert.…

Read More