13

I used following command to generate the jks for my web app.

keytool -genkey -keyalg RSA -alias my-app -validity 10800 -keysize 2048 -sigalg SHA1withRSA -keystore myapp.jks

This command prompted some questions as below: 

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  GS
What is the name of your organizational unit?
  [Unknown]:  XX
What is the name of your organization?
  [Unknown]:  YY
What is the name of your City or Locality?
  [Unknown]:  ZZ
What is the name of your State or Province?
  [Unknown]:  AA
What is the two-letter country code for this unit?
  [Unknown]:  BB
Is CN=GS, OU=XX, O=YY, L=ZZ, ST=AA, C=BB correct?
  [no]:  yes

Enter key password for <my-app> //Why this password is required???
        (RETURN if same as keystore password):

Tomcat is able to read this keystore only when both keystore password [first time prompted] and key password. When I use some other password in place of "key password" tomcat fails to start due to the keystore file.
My question is what is the significance of key password.

P.S: I seen this link. Here they say: 

Press RETURN when prompted for the key password (this action makes the key password the same as the KeyStore password).

If both passwords must be same then any idea what is the significance of asking it twice?

G.S
  • 10,413
  • 7
  • 36
  • 52

3 Answers3

11

As the JavaDoc states

The keypass value that you are prompted for specifies a password for the private key about to be generated. You will always need this password in order to access the keystore entry containing that key. The entry doesn't have to have its own password. When you are prompted for the key password, you are given the option of letting it be the same as the keystore password.

A keystore can contain multiple keys and each of these keys can only be accessed using password. So keytool is just giving you an option if you wish to keep the key password same as the keystore you are creating.

Kristopher Noronha
  • 155
  • 8
Maas
  • 1,317
  • 9
  • 20
  • Thanks! Any idea why tomcat fails when i use different password for "key password"? Or do i need to configure this password also in server.xml? – G.S Aug 11 '14 at 09:29
  • I believe yes, see if http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html link helps look at " Edit the Tomcat Configuration File" and "Troubleshooting" section. – Maas Aug 11 '14 at 09:36
  • Thanks for the answer. A link to the actual JavaDoc would be nice, however. – dforce Aug 18 '17 at 06:30
5

As already answered by @Maas, keyPassword is required to access the key entry that is stored in the KeyStore.

The way it happens is first KeyStore Password is used to access/unlock the KeyStore and then keyPassword is used to decrypt the key entry that is there inside that KeyStore.

Generally various implementations/use of ssl consider using same password for KeyStorePassword and keyPassword

That is what is the case in tomcat also. If you see the document tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html they have clearly stated that "your private key password and keystore password should be the same. If they differ, you will get an error along the lines of java.io.IOException: Cannot recover key, as documented in Bugzilla issue 38217, which contains further references for this issue"

enter image description here

Even JSSE implementation wants KeyStorePassword and KeyPassword to be same.

enter image description here

https://access.redhat.com/documentation/en-US/Fuse_MQ_Enterprise/7.1/html/Security_Guide/files/SSL-SysProps.html

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#KeyManagerFactory

Sushil Kumar Sah
  • 1,042
  • 10
  • 13
1

You can have many keys in one keystore, each with their own password (or same as the keystore itself, if you chose it to be). That's your decision, with how much you care about the security of the keys.

Gauntlet
  • 141
  • 3
  • 9
  • thanks for your answer but my question is significance of "key password" which prompted at the end. I am trying to generate only one keystore here – G.S Aug 11 '14 at 09:15
  • Yes, and one keystore can have many keys with different passwords, as I said. – Gauntlet Aug 11 '14 at 09:19
  • I understand. Here i am generating private keys for my app. Why is the 2nd password is required. As you said "many keys" - Always password prompted not more than twice. Also, when I use some other password for "key password" tomcat is unable to start... – G.S Aug 11 '14 at 09:25
  • Yes, that is how Tomcat works with keyfiles. Must be same password. – Gauntlet Aug 11 '14 at 09:30