This documentation is for WSO2 Carbon 4.2.0. View documentation for the latest release.
Page Comparison - Creating New Keystores (v.19 vs v.20) - Carbon 4.2.0 - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSO2 Carbon-based products are shipped with a default keystore named  default keystore named  wso2carbon.jks , which  which is stored in the in the  <PRODUCT_HOME>/repository/resources/security directory  directory. This keystore comes with a private/public key pair that is used for all purposes, e.g., for encrypting sensitive information, for communication over SSL and for encryptionfor message encryption/signature signing purposes in WS-Security. Find out more about how keystores are used in WSO2 products.However, note that since  wso2carbon.jks  is available with open source WSO2 products, anyone can have access to the private key of the default keystore. It is therefore recommended to create new keystores when the products are deployed in production environments. You  You can either use one new keystore for new keystore for all purposes in your product, or you can create multiple keystores for multiple keystores for each purpose. For example, you may use one keystore for encrypting passwords in configuration files, and a separate keystore for all other purposes. Once the new keystores are created as explained below


Before you start creating new keystores and replacing the default keystore configurations with new ones, be sure to


go through the recommendations for setting up keystores in WSO2 products.

Let's start creating a new keystore:

Table of Contents


If you are creating a new keystorefor data encryption, be sure to acquire a public key certificate that contains the Data Encipherment key usage. See the keystore recommendations for more information. 

Creating a keystore using an existing certificate


In SSL handshake, client side needs to verify the certificate presented by the server side. For that, client usually stores the certificates it trusts, in a trust store. Related to SSL communication of WSO2 products, this trust store is set as client-truststore.jks which resides in the same above directory as the keystore.  Therefore, we need to import the new public certificate into this trust store for Front End and Back End communication of WSO2 products to happen properly over SSL.

Note that we are using the default client-truststore.jks file in your WSO2 product as the trust store.


To add the public key of the signed certificate to the client trust store in order to use SSL for backend communication.