WSO2 Carbon-based products are shipped with a default keystore named named wso2carbon.jks , which which is stored in the in the <PRODUCT_HOME>/repository/resources/security
directory directory. This keystore comes with a private/public key pair that is used to encrypt for all purposes, e.g., for encrypting sensitive information, for communication over SSL and for encryptionfor message encryption/signature signing purposes in WS-Security. However, note that since wso2carbon.jks is available with open source WSO2 products, anyone can have access to the private key of the default keystore. It is therefore recommended to replace this with a keystore that has self-signed or CA signed certificates when the products are deployed in production environments. Once the default keystore is replaced with a new one, be sure to update the relevant configuration files. Table of Contents
Info |
---|
Before you start creating new keystores and replacing the default keystore configurations with new ones, be sure to go through the recommendations for setting up keystores in WSO2 products. |
Let's start creating a new keystore:
Table of Contents | ||
---|---|---|
|
Note |
---|
If you are creating a new keystore for data encryption, be sure to acquire a public key certificate that contains the Data Encipherment key usage. See the keystore recommendations for more information. |
Creating a keystore using an existing certificate
...
Note |
---|
Note that we are using the default client-truststore.jks file in your WSO2 product as the trust store. |
To add the public key of the signed certificate to the client trust store in order to use SSL for backend communication.
...
What's next?
Once you have replaced the default created a new keystore in your product as explained above, update the relevant configuration files as explained in Configuring Keystores in WSO2 Products.