The password is used to protect the integrity of a keystore. if you don't provide any store password, you can still read the contents of the keystore. The command keytool -listdemonstrates this behavior (use it with an empty password).

密码用于保护密钥库的完整性。如果您不提供任何存储密码，您仍然可以读取密钥库的内容。该命令keytool -list演示了此行为（将其与空密码一起使用）。

If you do not specify a truststore, the default one is used instead. I assume, you get an error, that you'll need to specify a truststore in order to trust the host you request? The default truststore resides in $JAVA_HOME/lib/security/jssecacerts.

如果您未指定信任库，则会使用默认的信任库。我假设，你得到一个错误，你需要指定一个信任库才能信任你请求的主机？默认信任库驻留在 $JAVA_HOME/lib/security/jssecacerts 中。

By default, the JRE trust store password is "changeit". If you want to change the default trust store (cacerts) password programmatically using Java, then please go through this link.

默认情况下，JRE 信任存储密码为“changeit”。如果您想使用 Java 以编程方式更改默认信任存储 (cacerts) 密码，请访问此链接。

In addition to pascal-thivent's excellent answer:

除了pascal-thivent 的出色回答：

The keystore password has two purposes - if not supplied, keytoolrefuses to let you replace the contents of the store with new contents e.g. by deleting existing or adding new certificate entries.

密钥库密码有两个用途——如果不提供，则keytool拒绝让您用新内容替换存储的内容，例如删除现有的或添加新的证书条目。

Of course if you have write-access to update the keystore file using keytool(it's not setuid), you could replace the contents using another tool which didn't check the password. And we know that the store and its format is readable without a password, so presumably we can write what we want there.

当然，如果您具有使用更新密钥库文件的写访问权限keytool（它不是 setuid），您可以使用另一个不检查密码的工具替换内容。而且我们知道 store 及其格式无需密码即可读取，所以大概我们可以在那里写我们想要的东西。

That's where the verification password comes-in. When the store entries are written-out, the supplied store password is used to compute a digest of the store-contents, as salted by the password. This is a one-way hash/digest, so without the password, you cannot verify whether the store contents have been tampered with or not. Equally, someone malicious who does not know the password also cannot modify the store's contents and produce the digest-hash that would be produced by that password.

这就是验证密码的用武之地。当写出商店条目时，提供的商店密码用于计算商店内容的摘要，如密码所加盐。这是一种单向哈希/摘要，因此没有密码，您无法验证商店内容是否已被篡改。同样，不知道密码的恶意人员也无法修改商店的内容并生成由该密码生成的摘要哈希。

That's why when you supply no-password, keytooljust warns you that it can't verify that the store has not been tampered with. If you provide an invalidpassword, or the store hasbeen tampered with, you will get a different message:

这就是为什么当您提供无密码时，keytool只会警告您它无法验证商店没有被篡改。如果您提供的密码无效，或者商店已被篡改，您将收到不同的消息：

Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

keytoolwas unable to re-create the existing hash digest based on the current store contents and the password you supplied, so either the password is incorrect, or the keystore is compromised - keytoolcannot tell, but it assumes that you or the software reading the store knows.

keytool无法根据当前商店内容和您提供的密码重新创建现有的哈希摘要，因此密码不正确，或者密钥库已泄露 -keytool无法判断，但它假设您或读取商店的软件知道.

Note that whilst the term keystoreis used generally, it refers equally to keystoresand truststores. Less-generally, a keystoreis more often an identity storeand contains identities and their secret, private keys, as used e.g. by a server running HTTPS. A truststoremore often contains only public keys and no private keys, so no secrets, but is important to determine what identities a clienttrusts.

请注意，虽然通常使用术语密钥库，但它同样指的是密钥库和信任库。不太一般地，密钥库通常是一个身份库，包含身份及其秘密、私钥，例如由运行 HTTPS 的服务器使用。一个信任往往只包含公钥和没有私人密钥，所以没有秘密，但重要的是要确定是什么身份的一种客户信任。