Change the private/public key pair of default keystore of wso2 products

WSO2 products comes with a default keystore. There may be a requirement to change the default  public/private key pair that comes in the default keystore. There are several steps you should follow.

1. Remove existing default public/private key pair

2.Create a new public/private key pair

3.Export certificate from key store

4. Import it in to client-trust store

5. Change private key related configurations in the carbon.xml

There is limitation in tomcat. So if you are going to add a new private key to the existing wso2carbon.jks , then the key should have the same password as the keystore. hence password of the new key should be “wso2carbon”.

There can’t be two public/private key pairs in the the same keystore (tomcat limitation). There for existing public/private key pair “wso2carbon” needs to be removed from the keystore.

Download Keystore explorer [1].

Then extract kse-501-install.tar.gz and run install.sh using command


./install.sh

(you need to be the root to perform this operation)

then go in to kse5.0 folder and run kse.sh


./kse.sh

Then open wso2carbon.jks keystore using the keystore explorer.

It will prompt for the keystore password, enter “wso2carbon” as the keystore password.

Then you can see the default public/private key pair as below.

Selection_006

Select it and Press Delete.

So now we have removed default private/public key pair from the wso2carbon.jks default key store.

Now let’s create a new public/private key pair.

Run following commands in the <CARBON_HOME>/repository/resources/security

keytool -genkeypair -alias <ALIAS> -keyalg RSA -keysize 2048 -keypass wso2carbon -keystore wso2carbon.jks

Then you will be asked following deatils .

What is your first and last name?
  [Unknown]:  <Enter host name of the machine >
What is the name of your organizational unit?
  [Unknown]: <provide appropiate one>
What is the name of your organization?
  [Unknown]:  <provide appropiate one>
What is the name of your City or Locality?
  [Unknown]: <provide appropiate one>
What is the name of your State or Province?
  [Unknown]:  <provide appropiate one>
What is the two­letter country code for this unit?
  [Unknown]: <provide appropiate one>

*Note- Please keep the password wso2carbon as it is.

Then this needs to be imported to client-truststore.Execute following commands in the same directory.

to export the certificate from keystore

keytool -export -alias <ALIAS> -file <ALIAS>.pem -keystore wso2carbon.jks -storepass wso2carbon

to import it to the client trust store

keytool -importcert -alias <ALIAS> -keystore client-truststore.jks -file <ALIAS>.pem

Then there are few settings to be changed in carbon.xml.

In the carbon.xml under the Security tag , you can find KeyStore tag. enter your new key paire alias between the KeyAlias tags.
[

<KeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password>wso2carbon</Password>
<!-- Private Key alias-->
<KeyAlias>YOUR NEW ALLIAS GOES HERE</KeyAlias>
<!-- Private Key password-->
<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>

and then restart the server.Now your default private/public key pair has been changed. hmmm want to get it confirmed?

Check the certificate information using the Browser… 🙂

[1] http://sourceforge.net/projects/keystore-explorer/files/KSE%205.0.1/kse-501-install.tar.gz/download

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s