This documentation is for WSO2 Carbon 4.4.1. View documentation for the latest release.
Page Comparison - Setting up Keystores (v.5 vs v.6) - Carbon 4.4.1 - WSO2 Documentation
Due to a known issue do not use JDK1.8.0_151 with WSO2 products. Use JDK 1.8.0_144 until JDK 1.8.0_162-ea is released.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

A keystore is a repository that stores cryptographic keys and certificates. You use these artifacts for security purposes such as encrypting sensitive information, and establishing trust between your server and the outside parties that connect to it. See the following topics for details on keystores.childrenhow keystores are used in WSO2 products and the default keystore settings with which all products are shipped:

Table of Contents

The usage of keys and certificates contained in a keystore are explained below.


titleIdentity and Trust

The key pair and the CA-signed certificates in a keystore establishes two security functions in your server: The key pair with the digital certificate is an indication of identity and the CA-signed certificate provides trust to the identity. Since the public key is used to encrypt information, the keystore containing the corresponding private key should always be protected, as it can decrypt the sensitive information. Furthermore, the privacy of the private key is important as it represents its own identity and protects the integrity of data. However, the CA-signed digital certificates should be accessible to outside parties that require to decrypt and use the information.

To facilitate this requirement, the certificates must be copied to a separate keystore (called a Truststore), which can then be shared with outside parties. Therefore, in a typical setup, you will have one keystore for identity (containing the private key) that is protected, and a separate keystore for trust (containing CA certificates) that is shared with outside parties.

See the following topics for details on how keystores are used in WSO2 products and the default keystore settings with which all products are shipped:

Table of Contents

Setting up keystores for WSO2 products


  • Maintain a primary keystore for encrypting sensitive data such as admin passwords and certain registry data. By default, the primary keystore is also used for WS-Security and for authenticating Tomcat level connections.
  • Maintain a separate keystore for authenticating the communication over SSL/TLS for Tomcat level connections.
  • Optionally, you can set up separate keystores with key pairs and certificates for WS-Security.
  • A separate keystore (truststore) for the purpose of storing the trusted certificates of public keys in your keystores.

For information on creating new keystores with the required certificates, see the related linkson how to create new keystore files, see Creating New Keystores, and for information on how to update configuration files in your product with keystore information, see Configuring Keystores in WSO2 Products.

Default keystore settings in WSO2 products



Note the following regarding WSO2 keystore management:

  • You cannot import an existing private key for which you already have a certificate.
  • You cannot delete the default wso2carbon.jks keystore.
  • You must have the same password for both keystore and private key due to a Tomcat limitation.
  • You cannot remove a service before disabling its security.


  • .