X509 certificate for client authentication

129 views
Skip to first unread message

hollomy...@163.com

unread,
Mar 22, 2024, 2:52:05 AM3/22/24
to Keycloak User

I am trying to create a client in keycloak that use “X509 Certificate” as the client authenticator (check image 1 below)

I tried this in flowing steps:

  1. enable the mTLS and set trustore file for keycloak by set below options
    https-client-auth=request
    https-trust-store-file=
    https-trust-store-password=
  2. generate a new key in keycloak admin console and save the p12 file on local(check image 2 below)
  3. get the client certificate from the p12 file generated in step 2 and import it to the trust store file
  4. restart keycloak to make keycloak reload the trust store file
  5. use the p12 (contains private key and client certificate) file generated in step 2 to talk to keycloak to fetch a token in client_credentials flow.
Screenshot 2024-03-14 at 17.57.46.png

I can get a token successfully in step 5, my question is did I do it right? Every time I create a new client with “X509 Certificate” client authenticator I need to import the client’s certificate to the trust store and restart keycloak? I don’t think it make sense that it need to restart keycloak to make the new created client work, and actually keycloak will save the client certificate after I click the “Generate new keys” button in admin console UI, why I still need to import it it to trust store file?

It’s very appreciated if someone can tell me I was doing it wrong and give me the right solution, thanks a lot.

Reply all
Reply to author
Forward
0 new messages