If the directory/file paths specified in this guide do not exist in your WSO2 product, see Directory Structure of WSO2 Products to locate the paths applicable to your product.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


A keystore is a repository (protected by a password) that holds the keys and certificates that form (one or multiple) trust chains of digital certificates. You use these artifacts for security purposes such as protecting sensitive information and establishing trust between your server and the outside parties that connect to the server. The usage of keys and certificates contained in a keystore are explained below.

Key pairsKeys: According to public-key cryptography, the concept of a key pair (public key and the corresponding private key) is used for protecting sensitive information and for authenticating the identity of external parties that communicate with your server. For example, information that is encrypted in your server using the public key can only be decrypted using the corresponding private key. Therefore, if any party wants to decrypt this encrypted data, they should have the corresponding private key, which is usually kept as a secret (not publicly shared).


In a keystore, each trust chain entry contains the following:

  • A private key protected by a password.
  • A digital certificate in which the public key (corresponding to the private key) is embedded. 
  • If that the digital certificate is not self-signed, the associated chain of trusted certificate signing authorities to verify trust.


Trusted certificates and certificate signing authorities: To establish trust, the digital certificate containing the public key should be signed by a trusted certificate signing authority (CA). You can generate self-signed certificates for the public key (thereby creating your own certifying authority), or you can get the certificates signed by an external CA. Both types of trusted certificates can be effectively used depending on the sensitivity of the information that is protected by the keys. When the certificate is signed by a reputed CA, all the parties who that trust this CA will also trust the certificates signed by them.


The usage of a truststore truststore in WSO2 products aligns with this concept of trust. A truststore is also just another repository (that is protected by a password ) (similar to a keystore), which stores digital certificates. These certifcates certificates can be either of the following:

  • Trusted third parties with which a software system would intend intends to communicate directly communicate .
  • Reputed certificate signing authorities (CA) that can be used to validate the identity of untrusted third parties been that are being contacted.
Even if

  • For example, consider a scenario where the exact certificate of
  • the third party that
  • the WSO2 server
would intend to communicate with,
  • is attempting to contact is not in the truststore. In this scenario, if
  • the third party has a CA-signed certificate and one of the certificates of its trust chain is already included in the WSO2 server's truststore, the trust is automatically granted
to the certificate in question
  • and a successful SSL connection is
  • established between the WSO2 server and the third party.

By default, Every every WSO2 product is shipped with a truststore that it uses to validate the identity of third party systems been contacted.

titleIdentity and Trust

The key pair and the CA-signed certificates in a keystore will establish two security functions in your server: The key pair with the digital certificate is an indication of identity and the CA-signed certificate provides trust to the identity. Since the public key is used to encrypt information, the keystore containing the corresponding private key should always be protected, as it can decrypt the sensitive information. Furthermore, the privacy of the private key is important as it represents its own identity and protects the integrity of data. However, the CA-signed digital certificates should be accessible to outside parties that require to decrypt and use the information.

To facilitate this requirement, the certificates must be copied to a separate keystore (called a Truststore), which can then be shared with outside parties. Therefore, in a typical setup, you will have one keystore for identity (containing the private key) that is protected, and a separate keystore for trust (containing CA certificates) that is shared with outside parties.

Default keystore and truststore in WSO2 products

All WSO2 products are by default shipped with a keystore file and truststore file (stored in the <PRODUCT_HOME>/repository/resources/security/ directory):