PIV Smartcard Certificate Reprompt

19 views
Skip to first unread message

Farinaz Zahiri

unread,
Nov 14, 2025, 3:13:52 AMNov 14
to Keycloak Dev

I am developing a custom Keycloak authenticator that detects the presence of a PIV smartcard certificate during login. The authenticator works correctly in detecting when a client certificate is presented via mutual TLS, but the goal is to allow the user to re-prompt the browser to select a certificate (i.e., restart the mTLS handshake) when the card is not initially inserted.

I am relatively new to Keycloak and would appreciate any help you can provide!

Is there any standards-compliant or browser-supported mechanism to explicitly restart the mutual TLS handshake (i.e., re-trigger the client certificate selection dialog) from application logic, without changing hostname?

Are there known Chrome flags, enterprise policies, or dev settings to disable TLS client certificate caching behavior for debugging purposes?

Is this even possible using Keycloak?

  • Keycloak version: 24.0.3
  • Deployment: Local Docker container
  • Browser: Chrome (latest stable, macOS)
  • TLS Setup: Keycloak running with KC_HTTPS_CLIENT_AUTH=request using a locally signed cert/key pair
  • Custom extension: The custom authenticator checks whether a PIV client certificate was presented during the TLS handshake and marks the session accordingly. If no certificate is detected, it renders a challenge page with a “Use SmartCard / PIV” button that attempts to reinitiate authentication.
    • PivPresenceAuthenticator
    • PivPresenceAuthenticatorFactory
    • Custom Freemarker template (piv-presence.ftl)


Sebastian Łaskawiec

unread,
Nov 14, 2025, 5:59:53 AMNov 14
to Farinaz Zahiri, Keycloak Dev
Hey Farinaz,

I don't believe it's possible.

During the TLS Handshake, Keycloak (or any other gateway or reverse proxy that is involved in the TLS handshake process) requests a certificate from the browser. This is the moment when the end user sees the certificate prompt from the browser. After selecting the certificate, the TLS session is established and cached and there's no way to display that certificate prompt again.

The only hypothetical way this could work is to add a reverse proxy (or a load balancer) in front of Keycloak that you control and flush the TLS cache there. This should force session re-initialization and the end user should see the certificate prompt again.

Thanks,
Sebastian

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-dev/dbc52d14-cf71-40c9-9235-e46722681722n%40googlegroups.com.

Farinaz Zahiri

unread,
Nov 14, 2025, 8:15:38 AMNov 14
to Keycloak Dev
Hi, Sebastian! 

Thank you so much. 

Best,
Farinaz Zahiri

Reply all
Reply to author
Forward
0 new messages