Keystore error with mismatching key and keystore passwords for certificates.

This article explains the cause of the keystore per-key password mismatch error during Salesforce certificate import and how to resolve it.

Understanding the Problem

When creating or exporting a Java Keystore, a separate password can be set for the keystore itself and for each individual key entry within the keystore. Salesforce requires these two passwords to match.

Example: 
For the below code sample, let's say that our password for the "key password" was set to 1234567 initially. Salesforce only requests the "keystore password" be set, so Salesforce needs to be able to decrypt the certificates with this alone by having the passwords match. Thus, when we run the below;

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore-in-pkcs12.p12 -deststoretype PKCS12 
Enter destination keystore password: <123456> 
Re-enter new password: <123456> 
Enter source keystore password: <123456> 
Enter key password for <salesforce> <123456> 
keytool error: java.security.UnrecoverableKeyException: Cannot recover key 

The "keystore" and "key" passwords do not match, so it will throw an 'UnrecoverableKeyException' error.

How to Fix

To resolve this error, ensure that the private key password and the keystore password are set to the same value when creating or re-exporting the keystore.