How one can recover a Java Keystore if the keystore password is forgotten?


Article ID: 192862


Updated On:


CA Performance Management - Usage and Administration


How can you recover from forgetting either the cacerts or jetty keystore password?


Valid as of Performance Management 3.7.13 and NetOps 20.2


The only way to recover is then to create a duplicate keystore with a new store password.  All of the certs from the original trustore can be copied as-is into the new keystore.

We will use /opt/CA/jre/lib/security/cacerts as the example but this will work with any Java Keystore (jks).

[[email protected]~]$keytool -importkeystore -srckeystore /opt/CA/jre/lib/security/cacerts -destkeystore /opt/CA/jre/lib/security/cacerts.recovery -deststorepass pass123
Enter source keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in the srckeystore*
* has NOT been verified! In order to verify its integrity, *
* you must provide the srckeystore password. *
***************** WARNING WARNING WARNING *****************

Entry for alias cert1 successfully imported.
Entry for alias cert2 successfully imported.
Entry for alias cert3 successfully imported.
Import command completed: X entries successfully imported, 0 entries failed or canceled

As you see in the above example, when asked for the source keystore password you can simply hit the 'ENTER' key and ignore it.  Keytool will still be able to copy the certs to a new keystore.