How one can recover a Java Keystore if the keystore password is forgotten?

book

Article ID: 192862

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration

Issue/Introduction

How can you recover from forgetting either the cacerts or jetty keystore password?

Environment

Valid as of Performance Management 3.7.13 and NetOps 20.2

Resolution

The only way to recover is then to create a duplicate keystore with a new store password.  All of the certs from the original trustore can be copied as-is into the new keystore.

We will use /opt/CA/jre/lib/security/cacerts as the example but this will work with any Java Keystore (jks).

[[email protected]~]$keytool -importkeystore -srckeystore /opt/CA/jre/lib/security/cacerts -destkeystore /opt/CA/jre/lib/security/cacerts.recovery -deststorepass pass123
Enter source keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in the srckeystore*
* has NOT been verified! In order to verify its integrity, *
* you must provide the srckeystore password. *
***************** WARNING WARNING WARNING *****************

Entry for alias cert1 successfully imported.
Entry for alias cert2 successfully imported.
Entry for alias cert3 successfully imported.
...
...
Import command completed: X entries successfully imported, 0 entries failed or canceled

As you see in the above example, when asked for the source keystore password you can simply hit the 'ENTER' key and ignore it.  Keytool will still be able to copy the certs to a new keystore.