Change Alias, Change Password, Delete Entries in Java Keystore

Rename keystore aliases with keytool -changealias, rotate the store password with -storepasswd, change per-key passwords on JKS (not PKCS12), and remove entries with -delete — with real PKCS12 and JKS output from Ubuntu.

Published

Updated

Read time 7 min read

Reviewed byDeepak Prasad

keytool keystore management banner with rename tag and key icons

Spring Boot server.ssl.key-alias, Spring Boot SSL bundle key aliases, Tomcat certificateKeyAlias / keyAlias, and custom KeyManager code all reference a string alias inside your keystore. When that alias no longer matches your naming convention, or when you need to rotate passwords and retire old certificates, keytool provides four maintenance commands: -changealias, -storepasswd, -keypasswd, and -delete.

This guide runs each command on PKCS12 and JKS files on Ubuntu. You will see a successful alias rename (localhostweb-local), store password rotation, the PKCS12 limitation on -keypasswd, and permanent entry deletion.

Tested on: Ubuntu 26.04 LTS; OpenJDK 25.0.3; kernel 7.0.0-27-generic.


Prerequisites

Generate a PKCS12 lab keystore with two aliases so rename, password, and delete steps each have entries to work on:

bash
keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -validity 365 \
  -storetype PKCS12 -keystore demo.p12 -storepass changeit \
  -dname "CN=localhost, O=Demo, C=US" -noprompt

keytool -genkeypair -alias api-server -keyalg RSA -keysize 2048 -validity 365 \
  -storetype PKCS12 -keystore demo.p12 -storepass changeit \
  -dname "CN=api.example.com, O=Demo, C=US" -noprompt

Copy the file before any destructive change so you can roll back a bad rename or delete:

bash
cp demo.p12 demo.p12.bak

Keep demo.p12.bak until you finish the lab and confirm the remaining aliases match your config.

NOTE
The lab passes passwords on the command line for repeatability. In production, avoid exposing keystore passwords in shell history, process listings, CI logs, or committed scripts. Use protected prompts, secret managers, restricted files, or deployment secrets.

Change alias with -changealias

Framework configs often expect a fixed alias (tomcat, 1, server). Rename instead of re-importing when the certificate and key are fine but the label is wrong.

Point -changealias at the old name and set -destalias to the label your server config will use:

bash
keytool -changealias -alias localhost -destalias web-local \
  -keystore demo.p12 -storetype PKCS12 -storepass changeit -noprompt

List the keystore to confirm localhost became web-local and that api-server is unchanged:

bash
keytool -list -keystore demo.p12 -storetype PKCS12 -storepass changeit

The renamed entry keeps the same certificate fingerprint — only the alias string changed:

text
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

api-server, Jul 2, 2026, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:EC:98:50:17:00:4A:9E:07:13:AE:2F:A8:22:0B:9F:80:83:13:5E:44:50:65:18:AE:EA:8D:B9:B4:B0:2E:38
web-local, Jul 2, 2026, PrivateKeyEntry,
Certificate fingerprint (SHA-256): AF:5A:E6:AE:08:11:C9:1A:85:A4:33:2D:C2:1F:49:5F:60:2D:C3:7C:32:88:A1:E9:F2:DE:B0:55:9F:4A:BA:ED

The SHA-256 fingerprint for web-local matches the old localhost entry — only the alias string changed. Update server.ssl.key-alias=web-local (or your equivalent) before restarting the service.

For Spring Boot 3.1+ SSL bundles, update the bundle key alias to match:

properties
spring.ssl.bundle.jks.webserver.key.alias=web-local

Keystore location and password for that bundle live under spring.ssl.bundle.jks.webserver.keystore.* — see Spring Boot HTTPS with keytool.

WARNING
-destalias must not already exist. If the target alias is taken, delete or rename the conflicting entry first.

Change store password with -storepasswd

-storepasswd rotates the password that unlocks the entire keystore file. It works on both PKCS12 and JKS.

Pass the current password with -storepass and the new value with -new:

bash
keytool -storepasswd -keystore demo.p12 -storetype PKCS12 -storepass changeit -new newstorepass -noprompt

Prove the new password unlocks the file:

bash
keytool -list -keystore demo.p12 -storetype PKCS12 -storepass newstorepass

A successful listing means the rotation stuck; aliases and fingerprints are unchanged:

text
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

api-server, Jul 2, 2026, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:EC:98:50:17:00:4A:9E:07:13:AE:2F:A8:22:0B:9F:80:83:13:5E:44:50:65:18:AE:EA:8D:B9:B4:B0:2E:38
web-local, Jul 2, 2026, PrivateKeyEntry,
Certificate fingerprint (SHA-256): AF:5A:E6:AE:08:11:C9:1A:85:A4:33:2D:C2:1F:49:5F:60:2D:C3:7C:32:88:A1:E9:F2:DE:B0:55:9F:4A:BA:ED

The listing still shows web-local from the earlier rename — only the store password changed. Confirm the old password no longer works:

bash
keytool -list -keystore demo.p12 -storetype PKCS12 -storepass changeit
text
keytool error: java.io.IOException: keystore password was incorrect

Every deployment that reads this file must switch to newstorepass at the same time — partial updates cause the same error at startup.


Change key password with -keypasswd (JKS only)

Legacy JKS keystores can store a per-entry key password separate from the store password. PKCS12 cannot — the whole file shares one secret.

First, confirm PKCS12 rejects per-key password changes:

bash
keytool -keypasswd -alias web-local -keystore demo.p12 -storetype PKCS12 -storepass newstorepass \
  -keypass newstorepass -new keypass2 -noprompt

PKCS12 store type triggers an immediate error — this is expected on modern keystores:

text
keytool error: java.lang.UnsupportedOperationException: -keypasswd commands not supported if -storetype is PKCS12

On JKS the per-key password command succeeds. Create a separate JKS lab file — keep it apart from the PKCS12 demo.p12 used above:

bash
keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -validity 365 \
  -storetype JKS -keystore demo.jks -storepass changeit -keypass changeit \
  -dname "CN=localhost, O=Demo, C=US" -noprompt

For new projects, standardize on PKCS12 and treat the store password as the only secret. Migrate old JKS files into a new PKCS12 destination so you do not overwrite an existing keystore:

bash
keytool -importkeystore \
  -srckeystore demo.jks \
  -destkeystore demo-from-jks.p12 \
  -deststoretype PKCS12 \
  -srcstorepass changeit \
  -deststorepass changeit \
  -noprompt

After import, demo-from-jks.p12 holds the same PrivateKeyEntry under a single store password.

Rotate the per-key password on the original JKS file:

bash
keytool -keypasswd -alias localhost -keystore demo.jks -storepass changeit \
  -keypass changeit -new newkeypass -noprompt

JKS operations print the proprietary-format warning; the key password still updates:

text
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore demo.jks -destkeystore demo.jks -deststoretype pkcs12".

If you change the JKS key password before migration, pass -srckeypass to -importkeystore or migrate while the key password still matches the store password.


Delete an entry with -delete

Remove retired certificates or aliases you no longer reference in application config. Deletion is permanent unless you kept a backup copy.

Delete api-server, then list what remains:

bash
keytool -delete -alias api-server \
  -keystore demo.p12 -storetype PKCS12 -storepass newstorepass -noprompt
keytool -list -keystore demo.p12 -storetype PKCS12 -storepass newstorepass

Only web-local should remain — the deleted alias is gone from the file:

text
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

web-local, Jul 2, 2026, PrivateKeyEntry,
Certificate fingerprint (SHA-256): AF:5A:E6:AE:08:11:C9:1A:85:A4:33:2D:C2:1F:49:5F:60:2D:C3:7C:32:88:A1:E9:F2:DE:B0:55:9F:4A:BA:ED

Deletion is immediate and irreversible without a backup. Services still pointing at api-server will fail TLS startup until you update the alias or import a replacement entry.


Troubleshooting

Symptom Likely cause Fix
Alias <name> does not exist Wrong -alias after a rename Run keytool -list and use the current alias
UnsupportedOperationException on -keypasswd PKCS12 store type Use -storepasswd only, or migrate to JKS for legacy key-password semantics
destination alias already exists -destalias collision Pick a unique name or delete the conflicting entry
Service fails after password change Config still has old password Update javax.net.ssl.keyStorePassword, Spring server.ssl.key-store-password, and secrets together
Cannot recover key Key password differs from store password, or config uses the wrong key password For JKS, update javax.net.ssl.keyStorePassword and framework-specific key password settings; for PKCS12, use the store password
App still uses old certificate after rename Framework still points to old alias or first alias in keystore Update Spring Boot server.ssl.key-alias, SSL bundle key alias, or Tomcat certificateKeyAlias
Alias works on one system but not another Alias case or store type behavior differs Run keytool -list -v on the exact file used by the service
JKS proprietary format warning Store type is JKS Migrate to PKCS12 with -importkeystore

References


Summary

Rename aliases with keytool -changealias, rotate the file password with -storepasswd, and remove entries with -delete — all three work on PKCS12. Per-key -keypasswd is JKS-only; PKCS12 rejects it with UnsupportedOperationException. Back up the keystore before deletes and password changes, and keep framework alias properties in sync after a rename.


Frequently Asked Questions

1. How do I rename a keystore alias in keytool?

Run keytool -changealias -alias OLD -destalias NEW -keystore store.p12 -storepass PASS -noprompt. The private key, certificate chain, and entry type move to the new alias name. Update framework-specific alias settings such as Spring Boot server.ssl.key-alias, Spring Boot SSL bundle key alias, or Tomcat certificateKeyAlias/keyAlias.

2. How do I change the keystore password with keytool?

Use keytool -storepasswd -keystore store.p12 -storepass OLD -new NEW -noprompt. This works on PKCS12 and JKS. Update every application config, systemd unit, and secret manager reference that still uses the old password.

3. Can I change the key password on a PKCS12 keystore?

No. keytool -keypasswd returns UnsupportedOperationException when -storetype is PKCS12. PKCS12 uses a single store password for the whole file. Use JKS if you truly need a separate key password, or recreate the PKCS12 with a new password via export and import.

4. How do I delete an entry from a Java keystore?

Run keytool -delete -alias NAME -keystore store.p12 -storepass PASS -noprompt. The alias and its private key or trusted certificate are removed permanently. List the keystore afterward with keytool -list to confirm only the entries you expect remain.

5. Does keytool warn about JKS format?

Yes. After most JKS operations keytool prints a warning recommending migration to PKCS12 with keytool -importkeystore. JKS is a legacy Java-specific format; PKCS12 is the industry standard format, and Tomcat and Spring Boot support it well as the preferred modern format.
Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with more than 15 years of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive …