keytool error Keystore was tampered with, or password was incorrect

229
votes

I am getting following error while generating certificates on my local machine.

C:\Users\abc>keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

I think there is some problems in jdk version.I ran the same command on my collegues machine and it is working fine.

Please share your inputs.

19
javakeystore
are you giving correct password? and running the command from proper directory?dev2d
As I am creating it, so I am entering a new password.From which directory should I run it?C4CodeE4Exe
keytool -genkeypair -alias tomcat -keyalg RSA -keystore D:\keystore.jks try this for generating keystore and then export cer like keytool -export -alias mycert -keystore D:\keystore.jks -file vorburger.cerdev2d
Can you please clarify, does it will have the same effect as was with "keytool -genkey -alias tomcat -keyalg RSA".C4CodeE4Exe
can you tell me the purpose of generating this cer?dev2d

19 Answers

95
votes

From your description I assume you are on windows machine and your home is abc

So Now : Cause

When you run this command

keytool -genkey -alias tomcat -keyalg RSA

because you are not specifying an explicit keystore it will try to generate (and in your case as you are getting exception so to update) keystore C:\users\abc>.keystore and of course you need to provide old password for .keystore while I believe you are providing your version (a new one).

Solution

  1. Either delete .keystore from C:\users\abc> location and try the command

  2. or try following command which will create a new xyzkeystore:

    keytool -genkey -keystore xyzkeystore -alias tomcat -keyalg RSA

Note: -genkey is old now rather use -genkeypair althought both work equally.

333
votes

I solved it by using the default password for cacerts keystore : 'changeit'

190
votes

This answer will be helpful for new Mac User (Works for Linux, Window 7 64 bit too).

Empty Password worked in my mac . (paste the below line in terminal)

keytool -list -v -keystore ~/.android/debug.keystore

when it prompt for

Enter keystore password:

just press enter button (Dont type anything).It should work .

Please make sure its for default debug.keystore file , not for your project based keystore file (Password might change for this).

Works well for MacOS Sierra 10.10+ too.

I heard, it works for linux environment as well. i haven't tested that in linux yet.

15
votes

In tomcat 8.5 pay attention to write the correct name of attributes. This is my code on server.xml:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="conf/keystore" certificateKeystorePassword="mypassword" type="RSA"/>
    </SSLHostConfig>
</Connector>

You can visit https://tomcat.apache.org/tomcat-8.5-doc/config/http.html to see all attributes

15
votes

I have solve this issue by using default password "changeit".

14
votes

Using changeit for the password is important too.

This command finally worked for me(with jetty):

 keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass changeit -validity 360 -keysize 2048
5
votes

Works on Windows

open command prompt (press Windows Key + R then type "cmd" without quotations in the appearing dialogue box and then press Enter Key).

then type the code sniff below :

  1. cd C:\Program Files\Java\jdk1.7.0_25\bin

then type following command

  1. keytool -list -keystore "C:/Documents and Settings/Your Name/.android/debug.keystore"

Then it will ask for Keystore password now. The default password is "android" type and enter or just hit enter "DONT TYPE ANY PASSWORD".

4
votes

Check your home folder ~/.gradle/gradle.properties. Sometimes if you have gradle.properties in home directory it takes details from the there. Either you can change that or delete the files. Then it will take required details from your local folder.

4
votes

If you are working on signing your Flutter App by following this guide Build and release an Android app and run in to this error. I hope this answer helps you.

In my case I changed the path to store my key.jks. This happened to me because I there was an existing file in that path.

keytool -genkey -v -keystore ~/key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias key

This command stores the key.jks file in your home directory. To store it elsewhere, change the argument you pass to the -keystore parameter.

In my case,

keytool -genkey -v -keystore /Users/Y/Desktop/X/key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias keyYour

i.e Y - Username and X - folder name

Then you will be prompted to Enter keystore password: and Re-enter new password:. Here you can use whatever password you want.

However, keep the keystore file private; don’t check it into public source control!

2
votes

I fixed this issue by deleting the output file and running the command again. It turns out it does NOT overwrite the previous file. I had this issue when renewing a let's encrypt cert with tomcat

2
votes

Empty password worked for me on my Mac

keytool -list -v -keystore ~/.android/debug.keystore

hit Enter then It's show you

Enter keystore password:

here just hit Enter for empty password

1
votes

Summarizing the advices from this page, I finished up with the following:

keytool -genkeypair -keystore ~/.android/release.keystore -alias <my_alias> -storepass <my_cert_pass> -keyalg RSA

Then I got a set of questions regarding name, organization, location and password for my alias.

1
votes

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

I solved my problem when I changed keystore path C:\MyWorks\mykeystore to C:\MyWorks\mykeystore.keystore.

1
votes

In my case I was needed to have root access.

1
votes
 [root@localhost Certificate]# openssl pkcs12 -export -in 
 /opt/Certificate/115c99f4c5aa98f5.crt -inkey /opt/Certificate/ravi.in.key -certfile 
/opt/Certificate/gd_bundle-g2-g1.crt -out RaviNew.p12

Enter Export Password: <Password>
Verifying - Enter Export Password: <Password>

Note :- Above Export Pasworrd write down anywhere because it is must to create JKS file ( It is depend on your choice what password you want to make )

  keytool -importkeystore -srckeystore DigiEduNew.p12 -srcstoretype pkcs12 -destkeystore finaldigiEdu.jks -deststoretype JKS
  Importing keystore DigiEduNew.p12 to finaldigiEdu.jks...
  Enter destination keystore password: <Any Password >
  Re-enter new password: <Any Password >
  Enter source keystore password: <.P12 Password >
  Entry for alias 1 successfully imported.
  Import command completed:  1 entries successfully imported, 0 entries failed or 
  cancelled



 Warning:
 The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 
 which is an industry standard format using "keytool -importkeystore -srckeystore 
 finaldigiEdu.jks -destkeystore finaldigiEdu.jks -deststoretype pkcs12".
1
votes

For me I solved it by changing passwords from Arabic letter to English letter, but first I went to the folder and deleted the generated key then it works.

1
votes

In my case with Xamarin Forms 4.7 and Visual Studio 2019 16.7.0 Preview 3.1, the problem was version mismatch of lately updated Android Build tools (apksigner) and JDK. Updated JDK to latest and pointed the new JDK path on Tools->Options->Xamarin->Android Settings, and it works.

0
votes

Just upgraded to Android Studio 4.2 from 4.0. Apparently, Android Studio silently CHANGED my keystore password, which has been sitting there unchanged and working perfectly without incident for well over a year.

Just had to re-renter both passwords.

Sigh