A truststore is a secure repository that holds trusted certificates, enabling Java applications to establish SSL/TLS connections. A password protects each truststore to ensure the integrity of its contents. You might wnt to change the truststore password when updating security policies, migrating environments, or addressing potential password exposure.
This guide walks you through the process of changing the password for a truststore using keytool
, verifying the changes, and updating dependent applications.
TL;DR
- Use the
keytool
command to change a truststore password:
keytool -storepasswd -keystore <truststore-file>
- Verify the new password using:
keytool -list -keystore <truststore-file>
- Update applications or services that rely on the truststore with the new password.
Prerequisites
1. Java Development Kit (JDK): Ensure the keytool
utility is available.
java -version
2. Access to the Truststore File: Know the location of the truststore (e.g., cacerts
or a custom .jks
file).
3. Current Truststore Password: The current password is required to make changes. The default password for the Java truststore is typically changeit
.
Step 1: Locate the Truststore
You can find the truststore in the following locations:
- Default Java truststore:
$JAVA_HOME/lib/security/cacerts
- Custom truststore: Check your application or server configuration for the specified
.jks
file.
Step 2: Change the Truststore Password
The keytool
command is used to update the truststore password.
Command Syntax:
keytool -storepasswd -keystore <truststore-file>
Example:
If your truststore file is located at /home/user/truststore.jks
, run:
keytool -storepasswd -keystore /home/user/truststore.jks
You will be prompted for:
- The current password: This ensures only authorized users can update the password.
- The new password: Enter the updated password.
- Confirmation of the new password: Re-enter the password for verification.
Sample Interaction:
Enter keystore password: changeit
New keystore password: newpassword123
Re-enter new keystore password: newpassword123
If successful, the password is updated, and the truststore integrity is maintained.
Step 3: Verify the New Password
After updating the password, verify the changes by accessing the truststore with the new password.
Command:
keytool -list -keystore /home/user/truststore.jks
Output:
Enter keystore password: newpassword123
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 10 entries
This confirms the new password is working correctly.
Step 4: Update Applications with the New Password
Applications or services that rely on the truststore require the new password for uninterrupted operations.
Example: Update Java Applications
Tomcat Server: Update the server.xml
configuration file:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
keystoreFile="conf/keystore.jks"
keystorePass="newpassword123"
truststoreFile="conf/truststore.jks"
truststorePass="newpassword123" />
Spring Boot Applications: Update the truststore password in the application.properties
file:
server.ssl.trust-store-password=newpassword123
Common Issues and Solutions
1: Incorrect Current Password
- Cause: The current password entered does not match the truststore’s password.
- Solution: Verify the password. For default truststores (
cacerts
), trychangeit
or consult your administrator.
2: Application Fails After Password Change
- Cause: The application is still configured with the old password.
- Solution: Update the truststore password in all application configurations.
3: Keystore Tampered Error
- Cause: The truststore file may be corrupted.
- Solution: Restore the truststore from a backup and retry the password update.
4: Permissions Error
- Cause: Insufficient permissions to modify the truststore file.
- Solution: Ensure you have write permissions for the file:
chmod 600 /home/user/truststore.jks
Best Practices
- Use Strong Passwords: Ensure your truststore password is strong and secure. Avoid common phrases or predictable patterns.
- Maintain Backups: Always back up the truststore before making changes to prevent accidental data loss.
- Document Password Changes: Log password updates securely for future reference.
- Regularly Rotate Passwords: Update passwords periodically to align with security policies.
Example Configuration
Changing Password for Default Java Truststore:
Command:
keytool -storepasswd -keystore $JAVA_HOME/lib/security/cacerts
Prompts:
Enter keystore password: changeit
New keystore password: securepass456
Re-enter new keystore password: securepass456