Currently, during the enrollment of soft keystores (P12 and JKS), the generated keystore will be protected with a password equal to end entity password.

It would be beneficial if it were possible to provide the end entity password for authentication purposes, while still being able to set a distinct, separate password for the P12/JKS keystore itself during the enrollment (on the public web enrollment page).

This will help with two situations:

• When renewing a JBoss keystore, people will often set a temporary password for the end entity that does not match with configuraiton in the standalone.xml. This way their attention could be drawn to this new password that can be set.

• When generating JBoss keystores after the statedump import, current procedure is to set a single password for all end entities (many of which can be user-generated tokens where it does not matter), and then go to admin web to change the end entity password before issuing a JBoss keystore. This is quite a number of unnecessary page visits, and doing away with this would shorten the time to issue JBoss keystores.