A keystore works as a repository for security certificates and keys that are stored in a database. A keystore must contain a key pair with a certificate signed by a trusted Certification Authority (CA). A CA is an entity trusted by all parties participating in a secure communication. This entity certifies the trusted party's public keys by signing them. When the CA is a trusted one, all parties trust and accept the public key certificates signed by that particular CA.
WSO2 products provide facility to add keystores using the management console or using an XML configuration, and import certificates to the keystore using the management console. WSO2 keystore management feature provides a UI and an API to add and manage keystores used for WS-Security scenarios. When you apply WS-Security to Web services using the management console, you can select a keystore from uploaded keystores for encryption/signing processes. The management console also allows you to view/delete keystores.
All the functions of keystore management are exposed via APIs. As a result, if you are writing a custom extension to a WSO2 product (e.g., for WSO2 ESB mediators), you can directly access configured keystores using the API. The API hides the underlying complexity, allowing you to easily use it in third-party applications to manage their keystores as well.
Note the following regarding WSO2 keystore management:
- You cannot import an existing private key to which you already have a certificate.
- You cannot delete the default wso2carbon.jks keystore.
- You must have the same password for both keystore and private key, due to a Tomcat limitation.
- You cannot remove a service before disabling its security.
This section provides the following information: