1
votes

I used windows and linux machine to create java keystore (JKS) by java keytool. When i run the keytool command mention below:

keytool -genkey -alias TESTSSL -dname "cn=Test.com, ou=testlab, o=myorg, c=UK" -keyalg "RSA" -keysize 2048 -keystore TESTSSL.private.jks -validity 10 -storepass XXXXXXX

It prompt to enter keystore password and key password.

The query is that, I want to know where both passwords are stored and in which form. Is it stored in keystore file or somewhere else in OS(If this is the case, know the exact location).

Any information related to this highly appreciated.

2

2 Answers

2
votes

Note you are actually creating the default format of keystore, assuming this file doesn't exist at the time you run keytool; through Java 8 the default is JKS, but from 9 up it is PKCS12. (Naming the file something.jks does not control the format, any more than naming it something.lollipop would make it a child's sweet.)

If you specify -storepass whatever on the commandline as you stated, it should not prompt for keystore password -- at least not on that operation; if you run keytool again to (re)use the same file, that will prompt unless you again specify it on that commandline. Similarly if you specify -keypass whatever on the commandline, when needed depending on the operation, it should not prompt for key password.

For JKS JCEKS and PKCS12, the password(s) are not stored at all. Doing so would be grossly insecure. Instead, the password(s) plus 'salt' (a randomized value) are processed by a one-way 'key derivation' algorithm to create the key(s) used to encrypt at least the privatekey entries in the keystore, and to authenticate (MAC) the entire keystore. PKCS12 as implemented in Java (weakly) encrypts the certificates as well as the privatekeys; JKS and JCEKS do not. PKCS12 as implemented in Java may not support a private-key password differing from the store password.

If you can't or don't supply the correct password(s) when using the keystore file it may fail depending on exactly what operation(s) you try to do, so it is your job to remember them, and if necessary transfer or distribute them. If you need to do this on a scale difficult to manage manually, there are password-management tools -- which can handle passwords for all things, not just Java keystores -- of many kinds and from lots of sources.

For non-file-based keystores, like PKCS11 on some systems or the OS-provided store on Windows, how the password is implemented and used -- if at all -- depends on the particulars of that keystore, although storing the password would usually be poor or bad practice.

0
votes

The key password and keystore password are stored in the keystore itself. It's self-contained. That way the keystore is portable and can be sent to others who can open it (provided they know the key[store] password).