[HOW TO] Changing the primary keystore of a tenant in Carbon products.

As you know, WSO2 Identity Server can be run in multi-tenant environment. When you create a tenant in Identity Server, It would automatically generated a primary keystore for the the tenant. But this keystore is a self signed with defined CN name. Therefore It is needed to change this primary keystore as it is used for message signing/decrypting by default. Let see how you can change it.

Step 1: Create a new tenant lets say “soasecurity.org”

Step 2: When you login as tenant, you can see the primary keystore details from keystore management page.

Go to Home > Configure > KeyStores



Step 3: Generate new keystore for soasecurity.org tenant

It is very important that keystore name and private key alias name must be similar as auto generated keystore values

Sample keytool command would be as follows

> keytool -genkey -keyalg RSA -alias soasecurity.org -keystore soasecurity-org.jks -storepass password -validity 360 -keysize 2048

Step 4: As you can not delete the primary keystore from keystore management UI, you need to go to registry location and delete that keystore.

1. Go to /_system/governance/repository/security/key-stores location using registry browser UI

2. You will see key stores below , click on the actions button on the soasecurity-org.jks keystore

3. Delete it.


Step 5: Go to keystore management UI. But you still see the deleted keystore. It is due to caching issue. Therefore please do not care about it. You can upload the newly created keystore with out considering older keystore file.

1. Click Add New Keystore and point to you new keystore created at Step 3



2.When you browse keystore details, you can see the newly created keystore’s details.



Discuss this article on Stack Overflow

Leave a Reply

Your email address will not be published. Required fields are marked *