Skip to content

Create New Keystores

There are two ways to create keystores for WSO2 Identity Server. You can either generate a keystore using an already existing public key certificate (CA-signed), or you can create the public key certificate at the time of generating the keystore.

Note

If you are creating a new keystore for data encryption, make sure to acquire a public key certificate that contains the Data Encipherment key usage as explained here.

Create a keystore using a new certificate

Note

The pubic key certificate we generate for the keystore is self-signed. For a CA-signed certificate, either import it into the keystore or create a new keystore with a CA-signed certificate.

  1. Navigate to the <IS_HOME>/repository/resources/security/ directory in a command prompt. All keystores should be stored here.

  2. To create the keystore that includes the private key, execute the following command. Make sure to use the same password for both the keystore and private key.

    keytool -genkeypair -alias newcert -keyalg RSA -keysize 2048 -keystore newkeystore.jks -dname "CN=<testdomain.org>, OU=Home,O=Home,L=SL,S=WS,C=LK" -storepass mypassword -keypass mypassword 
    

    This command will create a keystore with the following details.

    • Keystore name: newkeystore.jks
    • Alias of public certificate: newcert
    • Keystore password: mypassword
    • Private key password: mypassword
    keytool -genkeypair -alias newcert -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore newkeystore.p12 -dname "CN=<testdomain.org>, OU=Home,O=Home,L=SL,S=WS,C=LK" -storepass mypassword -keypass mypassword 
    

    This command will create a keystore with the following details.

    • Keystore name: newkeystore.p12
    • Alias of public certificate: newcert
    • Keystore password: mypassword
    • Private key password: mypassword

    Tip

    • If you did not specify values for the -keypass and the -storepass, , you will be prompted to enter the keystore password (-storepass). It’s advisable to use a password generator to create a strong password. When prompted for -keypass, press Enter to use the same password for both the keystore and the key.
    • If you did not specify values for -dname, you will be asked to provide those details individually.

Create a keystore using an existing certificate

As SSL/TLS is widely used in many systems, certificates may already exist that can be reused. In such situations, you can use an already existing CA-signed certificate to generate your keystore for SSL by using OpenSSL and Java.

To export certificates of a trust chain into a PKCS12 keystore , execute the following command. Make sure to use the same password for both the keystore and private key.

openssl pkcs12 -export -in <certificate file>.crt -inkey <private>.key -name "<alias>" -certfile <additional certificate file> -out <pfx keystore name>.p12

Info

To convert the PKCS12 formatted keystore to a Java keystore, execute the following command.

keytool -importkeystore -srckeystore <pkcs12 file name>.pfx -srcstoretype PKCS12 -destkeystore <JKS name>.jks -deststoretype JKS