How to Change JKS KeyStore Private Key Password

When your keystore is compromised,  you must change the password of it…  Also when you are using/testing IDM products that are shipped with default keystores,  It is always better to use them by changing the default passwords.  Passwords of JKS files can be easily changed by using java keytool command as  following…

Use following keytool command to change the key store password

>keytool  -storepasswd  -new [new password ]  -keystore  [path to key store]

As an example, if you are changing password of wso2carbon.jks file whch is shipped with WSO2 Carbon products

asela@localhost:~/is/wso2is-5.0.0/repository/resources/security$ keytool -storepasswd -new newWso2carbon -keystore wso2carbon.jks
Enter keystore password: 

Use following keytool command to change private key password

 >keytool -keypasswd  -alias [Alias name for private key]  -keystore [path to key store]

Then it would promote for key store password,  private key password and new private key passwords.

As an example,

asela@localhost:~/is/wso2is-5.0.0/repository/resources/security$ keytool -keypasswd -alias wso2carbon -keystore wso2carbon.jks 
Enter keystore password: 
Enter key password for <wso2carbon>
New key password for <wso2carbon>: 
Re-enter new key password for <wso2carbon>: 

If you are not aware of the alias of private key, you can find it by listing the keystore details.    You can look for PrivateKeyEntry

asela@localhost:~/is/wso2is-5.0.0/repository/resources/security$ keytool -list -keystore wso2carbon.jks 
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 37 entries

wso2carbon.cert, Feb 26, 2010, trustedCertEntry, 
Certificate fingerprint (SHA1): 34:2F:8E:60:4F:95:2C:74:10:0A:62:4B:DC:35:51:91:4C:B1:AE:BD
wso2carbon, May 26, 2014, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 6B:F8:E1:36:EB:36:D4:A5:6E:A0:5C:7A:E4:B9:A4:5B:63:BF:97:5D
Discuss this article on Stack Overflow


  1. Hi,

    I need to renew a certificate in keystore. I have created CSR and send it to CA and they have given the new certificates to import. Now the customer has asked us to change the storepass and keypass as well as part of the certification import.
    Can I do the following?
    – import the new cert.
    – change the store and keypass

    My doubt is this fine or will it affect the new certificate? is there any other steps that I need to perform?

    Thanks in advance for your help.

Leave a Reply

Your email address will not be published. Required fields are marked *