If the directory/file paths specified in this guide do not exist in your WSO2 product, see Directory Structure of WSO2 Products to locate the paths applicable to your product.
Page Comparison - Using Asymmetric Encryption (v.42 vs v.43) - Administration Guide 4.4.x - WSO2 Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Certificates of trusted third parties with which a software system intends to communicate directly.
  • Certificates of reputed certificate signing authorities (CA) that can be used to validate the identity of untrusted third parties that are being contacted. For example, consider a scenario where the exact certificate of the third party that the WSO2 server is attempting to contact is not in the truststore. In this scenario, if the third party has a CA-signed certificate and one of the certificates of its trust chain is already included in the WSO2 server's truststore, the trust is automatically granted and a successful SSL connection is established between the WSO2 server and the third party.

...

hiddentrue

...

titleIdentity and Trust

The key pair and the CA-signed certificates in a keystore will establish two security functions in your server: The key pair with the digital certificate is an indication of identity and the CA-signed certificate provides trust to the identity. Since the public key is used to encrypt information, the keystore containing the corresponding private key should always be protected, as it can decrypt the sensitive information. Furthermore, the privacy of the private key is important as it represents its own identity and protects the integrity of data. However, the CA-signed digital certificates should be accessible to outside parties that require to decrypt and use the information.

To facilitate this requirement, the certificates must be copied to a separate keystore (called a Truststore), which can then be shared with outside parties. Therefore, in a typical setup, you will have one keystore for identity (containing the private key) that is protected, and a separate keystore for trust (containing CA certificates) that is shared with outside parties.

Default keystore and truststore in WSO2 products

...

  • wso2carbon.jks: This is the default keystore, which contains a private key and the self-signed public key certificate.
  • client-truststore.jks: This is the default truststore, which contains certificates of reputed CAs that can validate the identity of third party systems. This truststore also contains the self-signed certificate of the default wso2carbon.jks keystore.

Anchor
setting_up_keystores
setting_up_keystores

...

Usage of keystores in WSO2 products

In WSO2 products, asymmetric encryption is used by default for the following purposes:

...

Note

The default keystore that is shipped with a WSO2 product (wso2carbon.jks) is by default configured for all of the above purposes. However, in a production environment, it is advised to set up several different keystores with separate trust chains for the above use cases.

Recommendations for setting up keystores in WSO2 products

Follow the recommendations given below when you set up your keystores. 

...