The keytool -importkeystore command imports key entries that are protected with their old passwords. When user wants to import an existing keystore to a pkcs12 keystore with a new storepass, the keypass will be different from the storepass. Although technically pkcs12 can have different storepass and keypass, it's a common practice to use the same (for example, Firefox does not accept it). Also, other keytool commands (say, -genkeypair) has already enforced the sameness.

To fix this, we should always use storepass as keypass for pkcs12 keystores.

This is a behaviour change from previous releases.