Wednesday, January 29, 2014

Import SSL Certificate to WSO2 Identity Server

The following post shows how to import SSL cetificate to WSO2 Identity Server and configure it.

1) You can import your certificate to wso2carbon.jsk by using following keytool command 
keytool -importkeystore -srckeystore <YOUR_KEY_STORE> -destkeystore wso2carbon.jks -srcstoretype <YOUR_KEY_STORE_TYPE> -deststoretype jks -srcstorepass <PASSWORD> -deststorepass wso2carbon 

2) In WSO2 IS, you cannot have two private keys. So you have to delete wso2carbon private key. You can do it by using following command 
keytool -delete -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon 

3) In WSO2 IS, your wso2carbon.jks password and your private key password should be same. Otherwise it gives an error. Current wso2carbon.jks password is "wso2carbon". If your password is different from that you have to change it. You can change wso2carbon.jks password by using following command. 
keytool -storepasswd -keystore wso2carbon.jks 

4) You don't need to import your private key to client-truststore.jks. It's incorrect. You have to import your public key to it. To do that you have to export your public key from the wso2carbon.jks and import it to client-truststore.jks. You can do these things from the following commands. 

keytool -export -keystore wso2carbon.jks -alias <YOUR_ALIAS> -file test.cer 
keytool -import -alias <YOUR_ALIAS> -file test.cer -keystore client-truststore.jks 

5) After that you have to edit carbon.xml and identity.xml files with your new certificate settings. You can find those files in <CARBON_HOME>/repository/conf 

In carbon.xml, under the <Security> tag you can find <KeyStore>. In that <KeyStore> block you have to change Password, KeyAlias and KeyPasswords attributes according to your settings. 

In identity.xml, under the <EntitlementSettings> you can find <ThirftBasedEntitlementConfig> tag. Please change the Password attribute according to your settings. 

After completion of the about steps, start the server. 


  1. Hi,

    Thanks for this post, but do you have an updated version for WSO2 IS V5.2?


    1. Hi Jim,

      I think you can follow WSO2 IS 5.2 documentation for this.

      Thanks !

  2. Helpful info! I was not able to get my certificate working with the official documentation, but following your example I was. You can see my id shows up instead of a more complete display name. When I submitted this comment to your Blogger blog, the Identity Server prompted me for permission to release:

    Claim URI Claim Value - email - last_name

    How can I configure WSO2 Identity Server (5.3.0) to release a claim Blogger will display as a more complete display name, e.g. First_Name + Last_Name, rather than my userid?

    I mapped:

    Claim URI
    Mapped Local Claim

    on the redirect, the new mapped claim showed up for release approval, but Blogger still only displays my userid :(

    Is there a different mapping I should make? What about ... why is it being selected? If not ideal, which should I use instead and how?

    I found the following: (not sure if applicable)

    and this statement re: Blogger and Open ID:

    "Note that your display name is the name sent to us by the OpenID provider. If no display name is given, we will try to derive it from your OpenID URL. This is the name that will be displayed as the author of the comment and will be linked to your OpenID URL."

    Do you know if it's possible customize the user profile page, and maybe add an avatar there? The current page hostname:9443/openid/user shows a broken image for: /carbon/openid-provider/images/openid-biguser.gif.

    Is it possible to send a claim that Blogger will use as an avatar rather than the generic Open ID avatar?

    Thank you!