Recently, I had to install a new certificate on a web server, but was unable to open the keystore where the private key was generated. At some point, the password for the
pskey file has been changed (or not documented when set) so I was unable to open the file. I didn’t want to loose the private key, so I had to find a way to get into the keystore.
pskey file is just a JKS (Java KeyStore) file and has a well documented format. There isn’t a built-in way to reset the password using
keytool (without knowing the existing one), but we can rewrite the JKS file and add in a new password. This gist has two classes that you can compile to rewrite your
This does not change the passwords on your private keys inside the keystore, just the password that opens the keystore itself.
Compile and Run
You will need to download the two classes and compile them. Save the files as:
Make sure you have a JDK installed on your machine; you need to have the
javac compiler. Compile the two classes with this command:
After it compiles, you will have to new
.class files. Copy your
pskey from the web server to the folder where you compiled the two classes. Finally, let’s rewrite our
pskey file with a new password:
java ChangePassword pskey pskey-new
You will be prompted to enter a new password. Now you have a new keystore file. The contents are the same, but the keystore password is reset. You can copy the
pskey-new file to your web server and rename it back to
pskey. If the password is new, you will need to update the Keystore tab in the WebLogic console, and update your
This should be a last resort, but if you find yourself unable to open
pskey you can always give this a try. Make to sure back up your
pskey file before you try anything. You don’t want to try this and end up losing the keystore completely!