I used following command to generate the jks for my web app.
keytool -genkey -keyalg RSA -alias my-app -validity 10800 -keysize 2048 -sigalg SHA1withRSA -keystore myapp.jks
This command prompted some questions as below:
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: GS
What is the name of your organizational unit?
[Unknown]: XX
What is the name of your organization?
[Unknown]: YY
What is the name of your City or Locality?
[Unknown]: ZZ
What is the name of your State or Province?
[Unknown]: AA
What is the two-letter country code for this unit?
[Unknown]: BB
Is CN=GS, OU=XX, O=YY, L=ZZ, ST=AA, C=BB correct?
[no]: yes
Enter key password for <my-app> //Why this password is required???
(RETURN if same as keystore password):
Tomcat is able to read this keystore only when both keystore password [first time prompted] and key password. When I use some other password in place of "key password" tomcat fails to start due to the keystore file.
My question is what is the significance of key password.
P.S: I seen this link. Here they say:
Press RETURN when prompted for the key password (this action makes the key password the same as the KeyStore password).
If both passwords must be same then any idea what is the significance of asking it twice?
As the JavaDoc states
The keypass value that you are prompted for specifies a password for the private key about to be generated. You will always need this password in order to access the keystore entry containing that key. The entry doesn't have to have its own password. When you are prompted for the key password, you are given the option of letting it be the same as the keystore password.
A keystore can contain multiple keys and each of these keys can only be accessed using password. So keytool is just giving you an option if you wish to keep the key password same as the keystore you are creating.