Change the private/public key pair of default keystore of wso2 products

WSO2 products comes with a default keystore. There may be a requirement to change the default  public/private key pair that comes in the default keystore. There are several steps you should follow.

1. Remove existing default public/private key pair

2.Create a new public/private key pair

3.Export certificate from key store

4. Import it in to client-trust store

5. Change private key related configurations in the carbon.xml

There is limitation in tomcat. So if you are going to add a new private key to the existing wso2carbon.jks , then the key should have the same password as the keystore. hence password of the new key should be “wso2carbon”.

There can’t be two public/private key pairs in the the same keystore (tomcat limitation). There for existing public/private key pair “wso2carbon” needs to be removed from the keystore.

Download Keystore explorer [1].

Then extract kse-501-install.tar.gz and run using command


(you need to be the root to perform this operation)

then go in to kse5.0 folder and run


Then open wso2carbon.jks keystore using the keystore explorer.

It will prompt for the keystore password, enter “wso2carbon” as the keystore password.

Then you can see the default public/private key pair as below.


Select it and Press Delete.

So now we have removed default private/public key pair from the wso2carbon.jks default key store.

Now let’s create a new public/private key pair.

Run following commands in the <CARBON_HOME>/repository/resources/security

keytool -genkeypair -alias <ALIAS> -keyalg RSA -keysize 2048 -keypass wso2carbon -keystore wso2carbon.jks

Then you will be asked following deatils .

What is your first and last name?
  [Unknown]:  <Enter host name of the machine >
What is the name of your organizational unit?
  [Unknown]: <provide appropiate one>
What is the name of your organization?
  [Unknown]:  <provide appropiate one>
What is the name of your City or Locality?
  [Unknown]: <provide appropiate one>
What is the name of your State or Province?
  [Unknown]:  <provide appropiate one>
What is the two­letter country code for this unit?
  [Unknown]: <provide appropiate one>

*Note- Please keep the password wso2carbon as it is.

Then this needs to be imported to client-truststore.Execute following commands in the same directory.

to export the certificate from keystore

keytool -export -alias <ALIAS> -file <ALIAS>.pem -keystore wso2carbon.jks -storepass wso2carbon

to import it to the client trust store

keytool -importcert -alias <ALIAS> -keystore client-truststore.jks -file <ALIAS>.pem

Then there are few settings to be changed in carbon.xml.

In the carbon.xml under the Security tag , you can find KeyStore tag. enter your new key paire alias between the KeyAlias tags.

<!-- Keystore file location-->
<!-- Keystore type (JKS/PKCS12 etc.)-->
<!-- Keystore password-->
<!-- Private Key alias-->
<!-- Private Key password-->

and then restart the server.Now your default private/public key pair has been changed. hmmm want to get it confirmed?

Check the certificate information using the Browser… 🙂