Maintain one primary keystore for encrypting sensitive internal data such as admin passwords and any other sensitive information found at both product-level and product feature-level configurations/configuration files.
Maintain another secondary keystore, containing the server’s public key certificate for authenticating communication over SSL/TLS (for both Tomcat and Axis2 level HTTP connections).
If your deployment contains multiple products, instances of the same product must use the same keystore for SSL. Different products can use different keystores for SSL, but it is not mandatory.
It is recommended to use a CA-signed keystore for the keystore used for SSL communication; however, this is not mandatory. Even a self-signed certificate may suffice, if it can be trusted by the clients.
Keystore used for SSL must contain same password for both KeyStore and private key passwords due to a Tomcat limitation.
Primary keystore used for admin passwords and other data encryption requirements can be a self-signed one. You can use a CA-signed keystore, But there is no added value of using such CA-signed keystore as it is not used for external communication, but only for internal data encryption.
The primary keystore's public key certificate must have the Data Encipherment key usage to allow direct encipherment of raw data using its public key. Therefore, note that it is necessary to create the public key certificate with “Data_Encipherment” key usage. This key usage is already included in the default self-signed certificate.
Optionally, you can set up separate keystores for message-level data encryption in WS-Security as well.
For information on creating
new keystores with the required certificates, see Creating New Keystores, and for information on how to update configuration files in your product