Add password to keytool command
Specify the keystore password using the -storepass option:
keytool <commands and options> -storepass changeit
changeit being the default keystore password, but use whatever.
For example, to add a certificate using the default password:
keytool -importcert -trustcacerts -alias mycert -file mycert.cer -keystore .../lib/security/cacerts -storepass changeit
The keytool that ships with the Oracle JDK allows you to specify it on the command line with -storepass, you were doing keytool -help instead of keytool -list -help. (I suppose the Android version is the same.)
C:\>keytool.exe -list -help
keytool -list [OPTION]...
Lists entries in a keystore
Options:
-rfc output in RFC style
-alias <alias> alias name of the entry to process
-keystore <keystore> keystore name
-storepass <arg> keystore password
-storetype <storetype> keystore type
-providername <providername> provider name
-providerclass <providerclass> provider class name
-providerarg <arg> provider argument
-providerpath <pathlist> provider classpath
-v verbose output
-protected password through protected mechanism
Use "keytool -help" for all available commands
As @sastorsl said, if you are worried about putting your password in clear text in your command or script (and you should), you should put your password in a secure file (with 0400 permissions, in Linux) or in an environment variable.
Now keytool does have a similar construct to openssl's file:<filename>, if your password is in a file:
keytool <commands and options> -storepass:file <pass_file>
If your password is in an environment variable:
keytool <commands and options> -storepass:env <pass_var>
Disclaimer: I have tested the -storepass:file option in Bash (not in Windows), but the documentation does not seem to have any difference according to the OS.
From the Oracle keytool doc:
-storepass [:env | :file ] argumentThe password that is used to protect the integrity of the keystore.
If the modifier
envorfileisn’t specified, then the password has thevalueargument, which must contain at least six characters. Otherwise, the password is retrieved as follows:
env: Retrieve the password from the environment variable namedargument.
file: Retrieve the password from the file named argument.Note: All other options that require passwords, such as
-keypass,-srckeypass,-destkeypass,-srcstorepass, and-deststorepass, accept theenvandfilemodifiers. Remember to separate the password option and the modifier with a colon (:).