WSO2 products comes with a default keystore. There may be a requirement to change the default public/private key pair that comes in the default keystore. There are several steps you should follow.
1. Remove existing default public/private key pair
2.Create a new public/private key pair
3.Export certificate from key store
4. Import it in to client-trust store
5. Change private key related configurations in the carbon.xml
There is limitation in tomcat. So if you are going to add a new private key to the existing wso2carbon.jks , then the key should have the same password as the keystore. hence password of the new key should be “wso2carbon”.
There can’t be two public/private key pairs in the the same keystore (tomcat limitation). There for existing public/private key pair “wso2carbon” needs to be removed from the keystore.
Download Keystore explorer [1].
Then extract kse-501-install.tar.gz and run install.sh using command
./install.sh
(you need to be the root to perform this operation)
then go in to kse5.0 folder and run kse.sh
./kse.sh
Then open wso2carbon.jks keystore using the keystore explorer.
It will prompt for the keystore password, enter “wso2carbon” as the keystore password.
Then you can see the default public/private key pair as below.

Select it and Press Delete.
So now we have removed default private/public key pair from the wso2carbon.jks default key store.
Now let’s create a new public/private key pair.
Run following commands in the <CARBON_HOME>/repository/resources/security
keytool -genkeypair -alias <ALIAS> -keyalg RSA -keysize 2048 -keypass wso2carbon -keystore wso2carbon.jks
Then you will be asked following deatils .
What is your first and last name?
[Unknown]: <Enter host name of the machine >
What is the name of your organizational unit?
[Unknown]: <provide appropiate one>
What is the name of your organization?
[Unknown]: <provide appropiate one>
What is the name of your City or Locality?
[Unknown]: <provide appropiate one>
What is the name of your State or Province?
[Unknown]: <provide appropiate one>
What is the twoletter country code for this unit?
[Unknown]: <provide appropiate one>
*Note- Please keep the password wso2carbon as it is.
Then this needs to be imported to client-truststore.Execute following commands in the same directory.
to export the certificate from keystore
keytool -export -alias <ALIAS> -file <ALIAS>.pem -keystore wso2carbon.jks -storepass wso2carbon
to import it to the client trust store
keytool -importcert -alias <ALIAS> -keystore client-truststore.jks -file <ALIAS>.pem
Then there are few settings to be changed in carbon.xml.
In the carbon.xml under the Security tag , you can find KeyStore tag. enter your new key paire alias between the KeyAlias tags.
[
<KeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password>wso2carbon</Password>
<!-- Private Key alias-->
<KeyAlias>YOUR NEW ALLIAS GOES HERE</KeyAlias>
<!-- Private Key password-->
<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>
and then restart the server.Now your default private/public key pair has been changed. hmmm want to get it confirmed?
Check the certificate information using the Browser… 🙂
[1] http://sourceforge.net/projects/keystore-explorer/files/KSE%205.0.1/kse-501-install.tar.gz/download