diff --git a/src/main/java/org/wildfly/security/_private/ElytronMessages.java b/src/main/java/org/wildfly/security/_private/ElytronMessages.java
index eeae33e34c5..48095300806 100644
--- a/src/main/java/org/wildfly/security/_private/ElytronMessages.java
+++ b/src/main/java/org/wildfly/security/_private/ElytronMessages.java
@@ -1867,6 +1867,9 @@ public interface ElytronMessages extends BasicLogger {
     @Message(id = 9527, value = "Invalid credential store reference")
     ConfigXMLParseException xmlInvalidCredentialStoreRef(@Param Location location);
 
+    @Message(id = 9528, value = "The externalPath attribute for key store type %s is missing.")
+    CredentialStoreException externalPathMissing(String keyStoreType);
+
 
     /* X.500 exceptions */
 
diff --git a/src/main/java/org/wildfly/security/credential/store/impl/KeyStoreCredentialStore.java b/src/main/java/org/wildfly/security/credential/store/impl/KeyStoreCredentialStore.java
index 6978b2d9b33..4a7ca4a225b 100644
--- a/src/main/java/org/wildfly/security/credential/store/impl/KeyStoreCredentialStore.java
+++ b/src/main/java/org/wildfly/security/credential/store/impl/KeyStoreCredentialStore.java
@@ -142,7 +142,7 @@
  *     <li>{@code keyStoreType}: specifies the key store type to use (defaults to {@link KeyStore#getDefaultType()})</li>
  *     <li>{@code keyAlias}: specifies the secret key alias within the key store to use for encrypt/decrypt of data in external storage (defaults to {@code cs_key})</li>
  *     <li>{@code external}: specifies whether to store data to external storage and encrypted by {@code keyAlias} key (defaults to {@code false})</li>
- *     <li>{@code externalPath}: specifies path to the external storage. It has to be used in conjunction with {@code external=true} and it defaults to value of {@code location} when {@code keyStoreType} is PKCS11.</li>
+ *     <li>{@code externalPath}: specifies path to the external storage. It has to be used in conjunction with {@code external=true}</li>
  *     <li>{@code cryptoAlg}: cryptographic algorithm name to be used to encrypt decrypt entries at external storage ({@code external} has to be set to {@code true})</li>
  * </ul>
  */
@@ -200,8 +200,7 @@ public void initialize(final Map<String, String> attributes, final CredentialSto
             if (useExternalStorage) {
                 final String externalPathName = attributes.get(EXTERNALPATH);
                 if (externalPathName == null) {
-                    externalPath = location;
-                    location = null;
+                    throw log.externalPathMissing(keyStoreType);
                 } else {
                     externalPath = Paths.get(externalPathName);
                     if (externalPath.equals(location)) {