can import certificates to keycloak's trust store dynamically?
Allen Gong
Pascal Knüppel
You need a certificate that you use as root certificate. This cert must be put into the truststore and that is the only certificate that you need to put into your truststore for this purpose.
If you create private-keys and certificates yourself and give
them to your clients (have seen this often enough) everything is
pretty easy. Create a new keyPair and sign it with your root-key.
If your clients are generating the private-keys themselves you will need to ask them to send you a ".csr" file (Certificate Signing Request). This is basically the structure of the certificate with the details the client wants in the certificate. You will then use your root certificate to create and sign the certificate from the .csr. Afterwards you give the certificate back to your client and the X509 login should work for all certificates that have been generated this way.
You should make sure that your root-certificate has the extension to sign other certificates. If you don't, some components will not accept the child-certificates for X509-login. An example is apache2 reverse proxy. Here is a screenshot of the certificate extension added by using the tool KeystoreExplorer:
Pascal Knüppel
You need a certificate that you use as root certificate. This cert must be put into the truststore and that is the only certificate that you need to put into your truststore for this purpose.
If you create private-keys and certificates yourself and give
them to your clients (have seen this often enough) everything is
pretty easy. Create a new keyPair and sign it with your root-key.
If your clients are generating the private-keys themselves you will need to ask them to send you a ".csr" file (Certificate Signing Request). This is basically the structure of the certificate with the details the client wants in the certificate. You will then use your root certificate to create and sign the certificate from the .csr. Afterwards you give the certificate back to your client and the X509 login should work for all certificates that have been generated this way.
You should make sure that your root-certificate has the extension to sign other certificates. If you don't, some components will not accept the child-certificates for X509-login. An example is apache2 reverse proxy. Here is a screenshot of the certificate extension added by using the tool KeystoreExplorer:
We are using "X509 Certificate" as the client authenticator in keycloak, but every time I create a new client I need to import the client's certificate into keycloak's trust store then restart keycloak service to make the new imported certificate work, is there a solution that can make it work without restarting keycloak? I don't think it make any sense that every time we create new a client then restart keycloak. --
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/061d41ae-b933-4b6c-a9b3-fad1bc890bdbn%40googlegroups.com.