keypasswd manages the passwords which are used to access a user's private keystore.
keypasswd [-S servicename] [-p privatekeystore | -k username]
The keypasswd command allows a user to change the password of a private keystore. The user will be asked to enter the old and new password of the keystore. The -S option specifies which end-entity services and libraries to use while changing the password. Available services are defined in the /usr/lib/security/pki/ca.cfg file. When invoked without -S, keypasswd will use the local service. You will get an error if you specify a servicename which does not have an entry in the /usr/lib/security/pki/ca.cfg file. The -p option specifies the private keystore for which the password is going to be changed. The -k option specifies the user's default private keystore. You will get an error if you specify both the -k and -p options.
| -S servicename | Specifies which service module to use. |
| -p privatekeystore | Specifies the private keystore whose password is going to be changed. |
| -k | Specifies that the keystore to be used is that of username. |
This is a privileged (set-UID root) command.
To change the password of a keystore one must know the password of the keystore.
Root and invokers belonging to group security are allowed to change the password of any keystore as long as they know the password of the keystore. A non-privileged user is allowed to change only the keystore file that they own.
This command records the following event information:
KEY_Password <username>
$ keypasswdwhere the invoker is Bob.
$ keypasswd -p bob.keystore
/usr/lib/security/ca.cfg
/usr/lib/security/policy.cfg
The certadd, certcreate, certdelete, certget, certlink, certlist, certrevoke, certverify, keyadd, keydelete, keylist, and mksecpki commands.