---
title: KeyStore  (deprecated)
description: The configuration for a Java KeyStore, which stores cryptographic private keys and public key certificates.
component: pinggateway
version: 2025.11
page_id: pinggateway:reference:KeyStore
canonical_url: https://docs.pingidentity.com/pinggateway/2025.11/reference/KeyStore.html
revdate: 2025-10-22T14:04:06Z
section_ids:
  KeyStore-usage: Usage
  KeyStore-properties: Properties
  KeyStore-example: Example
  KeyStore-moreinfo: More information
---

# KeyStore (deprecated)

|   |                                                                                         |
| - | --------------------------------------------------------------------------------------- |
|   | This object is deprecated. Use [KeyStoreSecretStore](KeyStoreSecretStore.html) instead. |

The configuration for a Java [KeyStore](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html), which stores cryptographic private keys and public key certificates.

|   |                                                                                                                        |
| - | ---------------------------------------------------------------------------------------------------------------------- |
|   | Legacy keystore types such as JKS and JCEKS are supported but aren't secure. Consider using the PKCS#12 keystore type. |

## Usage

```json
{
  "name": name,
  "type": "KeyStore",
  "config": {
    "url": configuration expression<url>,
    "passwordSecretId": configuration expression<secret-id>,
    "type": configuration expression<string>,
    "secretsProvider": SecretsProvider reference
  }
}
```

## Properties

* `"url"`: *configuration expression<[url](preface.html#definition-url)>, required*

  URL to the keystore file.

  Learn more in [PingGateway expressions](Expressions.html).

* `"passwordSecretId"`: *configuration expression<[secret-id](preface.html#definition-secretid)>, optional*

  The secret ID of the password required to read private keys from the KeyStore.

  This secret ID must point to a [GenericSecret](../security-guide/keys.html#secret-types).

  If the KeyStore is used as a truststore to store only public key certificates of peers and no password is required to do so, then you don't have to specify this field.

  Default: No password is set.

  Learn more in [PingGateway expressions](Expressions.html).

* `"type"`: *configuration expression<[string](preface.html#definition-string)>, optional*

  The secret store type.

* `"secretsProvider"`: *SecretsProvider [reference](preface.html#definition-reference), required*

  The [SecretsProvider](SecretsProvider.html) to query for the keystore password.

## Example

The following example configures a KeyStore that references the Java KeyStore file `$HOME/keystore.p12`. The KeyStore password is provided by a Java system property or environment variable, and retrieved by the SystemAndEnvSecretStore. By default, the password value must be base64-encoded.

```json
{
  "name": "MyKeyStore",
  "type": "KeyStore",
  "config": {
    "url": "file://${env['HOME']}/keystore.p12",
    "passwordSecretId": "keystore.secret.id",
    "secretsProvider": "SystemAndEnvSecretStore"
  }
}
```

## More information

[org.forgerock.openig.security.KeyStoreHeaplet](../_attachments/apidocs/org/forgerock/openig/security/KeyStoreHeaplet.html)

[JSSE Reference](https://docs.oracle.com/en/java/javase/21/security/java-secure-socket-extension-jsse-reference-guide.html)

[KeyManager (deprecated)](KeyManager.html)

[TrustManager (deprecated)](TrustManager.html)