JDK-8193046 : Difficult to change built-in password for JDK 9 cacerts store
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 9.0.1
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • Submitted: 2017-12-05
  • Updated: 2018-01-03
  • Resolved: 2018-01-03
Related Reports
Duplicate :  
JDK-8192987 - keytool should remember real storetype if it is not provided
Description
Changing the password on cacerts file

We use the Oracle distributed cacerts file in our software after changing its
default password.  We simply copy the cacerts file as distributed in the JDK
and use the following command (which had worked for many release of Java)

# keytool -storepasswd -new <new password> -keystore ./cacerts -storepass
changeit

Using Java 9 version:
java version "9.0.1"
Java(TM) SE Runtime Environment (build 9.0.1+11)
Java HotSpot(TM) 64-Bit Server VM (build 9.0.1+11, mixed mode)

We now get this warning:
Warning:  Different store and key passwords not supported for PKCS12
KeyStores. Ignoring user-specified -new value.

Following the lead with this warning message, we tried to modify both store
and key passwords using this command:

# keytool -storepasswd -new <new password> -keystore ./cacerts -storepass
changeit -keypasswd -new <new password> -keypass changeit

But we get this error message upon trying that:
keytool error: java.lang.UnsupportedOperationException: -keypasswd commands
not supported if -storetype is PKCS12

What is the exact command syntax for changing the built-in password?
Comments
The storetype of cacerts is not PKCS12 but JKS. keytool has a bug from finding the correct storetype.
08-12-2017