Keystores work as a repository of security certificates and keys that are stored in a database. A Keystore must contain a key pair with a certificate signed by a trusted Certification Authority (CA). A CA is an entity trusted by all parties participating in a secure communication. This entity certifies the trusted party's public keys by signing them. Since the certificate authority is a trusted one, it accepts the public key certificates signed by that particular CA as trusted.
WSO2 keystore management feature provides the facility to manage multiple keystores using the management console, as explained in the steps below:
- Log in to the product's management console and select sub menu Keystores under the Configure menu.
- Click Add New Keystore.
- In the page that opens, provide the following information:
- Keystore File :
- Keystore Password : password required to access the private key
- Keystore Type : WSO2 supports two types of Keystores as follows:
- JKS (Java Keystore) : You can read and store key entries and certificate entries in this type. Key entries can store only private keys.
- PKCS12 (Public Key Cryptography Standards) : You can read a keystore in this format and export the information from that keystore, but you cannot modify the keystore. This is used to import the certificates from different browsers into your Java keystore.
- Keystore File :
- Click Next after providing the details.
- In the next page, provide Private Key Password and Finish.
Key store management functionality does not let you import an existing private key to which you already have a certificate.
- You cannot delete the default wso2carbon.jks key store.
- At the moment, you must have the same password for both keystore and private key. This is due to a Tomcat limitation.
- Before removing a service, you must disable its security. This allows the system to remove the key store.