If the directory/file paths specified in this guide do not exist in your WSO2 product, see Directory Structure of WSO2 Products to locate the paths applicable to your product.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


You can set up several keystores with separate key pairs and certificates for the above use cases in your system. It is recommended to maintain the following keystores: 

  • Maintain

  • a
  • one primary keystore for encrypting sensitive internal data such as admin passwords and

  • certain registry data. By default, the primary keystore is also used for WS-Security and for authenticating Tomcat level connections.Maintain a separate keystore for authenticating the
  • any other sensitive information found at both product-level and product feature-level configurations/configuration files.

  • Maintain another secondary keystore, containing the server’s public key certificate for authenticating communication over SSL/TLS (for both Tomcat and Axis2 level HTTP connections).

  • Optionally, you can set up separate keystores with key pairs and certificates for WS-Security.
  • A separate keystore (truststore) for the purpose of storing the trusted certificates of public keys in your keystores
  • If your deployment contains multiple products, instances of the same product must use the same keystore for SSL. Different products can use different keystores for SSL, but it is not mandatory.

  • It is recommended to use a CA-signed keystore for the keystore used for SSL communication; however, this is not mandatory. Even a self-signed certificate may suffice, if it can be trusted by the clients.

  • Keystore used for SSL must contain same password for both KeyStore and private key passwords due to a Tomcat limitation.

  • Primary keystore used for admin passwords and other data encryption requirements can be a self-signed one. You can use a CA-signed keystore, But there is no added value of using such CA-signed keystore as it is not used for external communication, but only for internal data encryption.

  • The primary keystore's public key certificate must have the Data Encipherment key usage to allow direct encipherment of raw data using its public key. Therefore, note that it is necessary to create the public key certificate with “Data_Encipherment” key usage. This key usage is already included in the default self-signed certificate.

  • Optionally, you can set up separate keystores for message-level data encryption in WS-Security as well.

For information on creating new keystores with the required certificates, see Creating New Keystores, and  and for information on how on how to update configuration files in your product with keystore information, see Configuring Keystores in WSO2 Products.

Default keystore settings in WSO2 products