stackoom
  简体   繁体   中英

Java's keytool doesn't prompt for key password

 原文  2021-03-05 11:48:52       java/ passwords/ keystore/ prompt/ keytool

Question

Java's keytool has a parameter called -keypass which allows you to set a (separate) password to protect your private key, in addition to the password used for the entire key store.

According to the documentation:

The value of -keypass is a password used to protect the private key of the generated key pair. If a password is not provided, then the user is prompted for it. If you press the Return key at the prompt, then the key password is set to the same password as the keystore password. The -keypass value must have at least six characters.

However, when I leave out the password in the call to this command I don't seem to get prompted at all, at least not when this is used in combination with -genkeypair to generate an RSA key pair. Instead I just get the general help page. If I use "" to force an "empty" password then it (correctly) tells me that the password should at least be 6 characters.

Is there a way to force the keytool to prompt for a key specific password instead of having to offer it on the command line according to the documentation of -genkeypair ?

I've tested this against Java 11 LTS:

keytool -genkeypair -alias test1 -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -keystore test.pfx -storepass test1234
        -keypass

or

keytool -genkeypair -alias test1 -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -keystore test.pfx -storepass test1234
        -keypass ""

both don't seem to work; as you can see I've already moved the -keypass parameter to the end so it cannot gobble up a parameter as password.

1 answers

solution1
 2 ACCPTED  2021-03-09 19:44:11

The default keystore type for Java 11 is PKCS12 , for which it is always assumed the keystore password and key password will be the same, hence you are not prompted to enter it ( documentation )

If you need to use a key password to fit your requirements, you can use other keystore types like jks or jceks .

Note: If you are using jks or jceks, java will show you a warning message:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format

If you type:

keytool -genkeypair -keyalg RSA -keysize 2048 -keystore double.pfx -storepass Storepass -keypass Keypass

You'll get the following warning:

Warning:  Different store and key passwords not supported for PKCS12 KeyStores.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Java keytool doesn't like OpenSSL CSR Keytool creates key with wrong password What is the significance of “key password” in keystore using keytool Keytool thinks cacerts doesn't exist Windows Java child process doesn't input or output when set to parent's standard IO (Command Prompt) Why keytool -exportcert doesn't ask for keypasswd? Java's keytool command with IP addresses Can I create a Java trust store without a password using keytool? keytool error: java.io.IOException: keystore password was incorrect Do you not need a password to access a truststore (made with the java keytool)?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM