diff --git a/src/main/java/org/wildfly/security/_private/ElytronMessages.java b/src/main/java/org/wildfly/security/_private/ElytronMessages.java
index eeae33e34c5..48095300806 100644
--- a/src/main/java/org/wildfly/security/_private/ElytronMessages.java
+++ b/src/main/java/org/wildfly/security/_private/ElytronMessages.java
@@ -1867,6 +1867,9 @@ public interface ElytronMessages extends BasicLogger {
@Message(id = 9527, value = "Invalid credential store reference")
ConfigXMLParseException xmlInvalidCredentialStoreRef(@Param Location location);
+ @Message(id = 9528, value = "The externalPath attribute for key store type %s is missing.")
+ CredentialStoreException externalPathMissing(String keyStoreType);
+
/* X.500 exceptions */
diff --git a/src/main/java/org/wildfly/security/credential/store/impl/KeyStoreCredentialStore.java b/src/main/java/org/wildfly/security/credential/store/impl/KeyStoreCredentialStore.java
index 6978b2d9b33..4a7ca4a225b 100644
--- a/src/main/java/org/wildfly/security/credential/store/impl/KeyStoreCredentialStore.java
+++ b/src/main/java/org/wildfly/security/credential/store/impl/KeyStoreCredentialStore.java
@@ -142,7 +142,7 @@
*
{@code keyStoreType}: specifies the key store type to use (defaults to {@link KeyStore#getDefaultType()})
* {@code keyAlias}: specifies the secret key alias within the key store to use for encrypt/decrypt of data in external storage (defaults to {@code cs_key})
* {@code external}: specifies whether to store data to external storage and encrypted by {@code keyAlias} key (defaults to {@code false})
- * {@code externalPath}: specifies path to the external storage. It has to be used in conjunction with {@code external=true} and it defaults to value of {@code location} when {@code keyStoreType} is PKCS11.
+ * {@code externalPath}: specifies path to the external storage. It has to be used in conjunction with {@code external=true}
* {@code cryptoAlg}: cryptographic algorithm name to be used to encrypt decrypt entries at external storage ({@code external} has to be set to {@code true})
*
*/
@@ -200,8 +200,7 @@ public void initialize(final Map attributes, final CredentialSto
if (useExternalStorage) {
final String externalPathName = attributes.get(EXTERNALPATH);
if (externalPathName == null) {
- externalPath = location;
- location = null;
+ throw log.externalPathMissing(keyStoreType);
} else {
externalPath = Paths.get(externalPathName);
if (externalPath.equals(location)) {