how to change PKCS12 keystore password using keytool?

You can import the PKCS12 file to another PKCS12 where you can give new password for new PKCS12 file. Then you can use the new PKCS12 file or delete the previous one and rename the new file name with the old file name. Its not a straight forward way, but it fulfills the objective.A sample code is given bewlow

keytool -importkeystore -srckeystore DocCA.p12 -srcstoretype PKCS12 -srcstorepass 123456 -destkeystore DocCA2.p12 -deststoretype PKCS12 -deststorepass 11223344 

Here, DocCA.p12 is the existing PKCS12 with password 123456 which is exported in the DocCA2.p12 file with password 11223344.

I know the question is about using keytool, but if that is not an strict requirement, you can use openssl instead:

  1. Export certs and keys to a temp.pem file without password protection. This will ask you interactively for the decrypt password:

    openssl pkcs12 -in keystore.p12 -out temp.pem -nodes
  2. Export from temp.pem file to a new PKCS#12 file. This will ask you interactively for the new encrypt password:

    openssl pkcs12 -export -in temp.pem -out keystore-new.p12
  3. Remove the temporary file:

    rm temp.pem

⚠️ It is important that you do this in a folder where nobody else has permission to read, because as long as the temp.pem file exist, the keys inside could be read.