gyfoster · February 17, 2023 08:47 · malys · Aug 30, 2019 · gyfoster · Sep 13, 2019
diff --git a/keycloak-wildfly-mutual-ssl.txt b/keycloak-wildfly-mutual-ssl.txt
 ROOT CA
 --------------
 Generate the CA private key:
 $ openssl genrsa -out ca.key 2048

 Create and self sign the root certificate:
 $ openssl req -new -x509 -key ca.key -out ca.crt

 Import root CA certificate into truststore:
 $ keytool -import -file ca.crt -keystore ca.truststore -keypass <password> -storepass <password>


 WILDFLY
 -----------
 Generate wildfly server key:
 $ openssl genrsa -out wildfly.key 2048

 Generate wildfly certificate signing request:
 $ openssl req -new -key wildfly.key -out wildfly.csr

 Sign wildfly CSR using CA key to generate server certificate:
 $ openssl x509 -req -days 3650 -in wildfly.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out wildfly.crt

 Convert WildFly cert to pkcs12 format:
 $ openssl pkcs12 -export -in wildfly.crt -inkey wildfly.key -out wildfly.p12 -name myserverkeystore -CAfile ca.crt

 Convert WildFly pkcs12 file to Java keystore:
 $ keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore wildfly.keystore -srckeystore wildfly.p12 -srcstoretype PKCS12 -srcstorepass <password>


 KEYCLOAK
 -------------
 Generate keycloak server key:
 $ openssl genrsa -out keycloak.key 2048

 Generate keycloak certificate signing request:
 $ openssl req -new -key keycloak.key -out keycloak.csr

 Sign keycloak CSR using CA key to generate server certificate:
 $ openssl x509 -req -days 3650 -in keycloak.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out keycloak.crt

 Convert Keycloak cert to pkcs12 format:
 $ openssl pkcs12 -export -in keycloak.crt -inkey keycloak.key -out keycloak.p12 -name myserverkeystore -CAfile ca.crt

 Convert Keycloak pkcs12 file to Java keystore:
 $ keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore keycloak.keystore -srckeystore keycloak.p12 -srcstoretype PKCS12 -srcstorepass <password>


 CLIENT (browser)
 ------------------
 Generate client server key:
 $ openssl genrsa -out client.key 2048

 Generate client certificate signing request:
 $ openssl req -new -key client.key -out client.csr

 Sign client CSR using CA key to generate server certificate:
 $ openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt

 Export client certificate to pkcs12 format:
 $ openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out clientCert.p12


 FINAL STEPS
 ------------
 1. Import clientCert.p12 into browser
 2. Paste wildfly.keystore and ca.truststore into WILDFLY_HOME\standalone\configuration
 3. Paste keycloak.keystore and ca.truststore into KEYCLOAK_HOME\standalone\configuration
 4. Paste the following inside security-realms in WILDFLY_HOME\standalone\configuration\standalone.xml:
    <security-realm name="ssl-realm">
      <server-identities>
        <ssl>
          <keystore path="wildfly.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="myserverkeystore" key-password="<password>" />
        </ssl>
      </server-identities>
      <authentication>
        <truststore path="ca.truststore" relative-to="jboss.server.config.dir" keystore-password="<password>" />
      </authentication>
    </security-realm>
 5. Paste the following inside security-realms in KEYCLOAK_HOME\standalone\configuration\standalone.xml:
    <security-realm name="ssl-realm">
      <server-identities>
        <ssl>
          <keystore path="keycloak.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="myserverkeystore" key-password="<password>" />
        </ssl>
      </server-identities>
      <authentication>
        <truststore path="ca.truststore" relative-to="jboss.server.config.dir" keystore-password="<password>" />
      </authentication>
    </security-realm>
 6. Replace https-listener with the following in WildFly's and Keycloak's standalone.xml:
    <https-listener name="https" socket-binding="https" security-realm="ssl-realm" enable-http2="true" verify-client="REQUESTED" />
 7. Add the following properties to your app's keycloak.json:
    ...
    "truststore": "C:\your\truststore\path\ca.truststore",
    "truststore-password": "<password>",
    ...
	ROOT CA
	--------------
	Generate the CA private key:
	$ openssl genrsa -out ca.key 2048

	Create and self sign the root certificate:
	$ openssl req -new -x509 -key ca.key -out ca.crt

	Import root CA certificate into truststore:
	$ keytool -import -file ca.crt -keystore ca.truststore -keypass <password> -storepass <password>


	WILDFLY
	-----------
	Generate wildfly server key:
	$ openssl genrsa -out wildfly.key 2048

	Generate wildfly certificate signing request:
	$ openssl req -new -key wildfly.key -out wildfly.csr

	Sign wildfly CSR using CA key to generate server certificate:
	$ openssl x509 -req -days 3650 -in wildfly.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out wildfly.crt

	Convert WildFly cert to pkcs12 format:
	$ openssl pkcs12 -export -in wildfly.crt -inkey wildfly.key -out wildfly.p12 -name myserverkeystore -CAfile ca.crt

	Convert WildFly pkcs12 file to Java keystore:
	$ keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore wildfly.keystore -srckeystore wildfly.p12 -srcstoretype PKCS12 -srcstorepass <password>


	KEYCLOAK
	-------------
	Generate keycloak server key:
	$ openssl genrsa -out keycloak.key 2048

	Generate keycloak certificate signing request:
	$ openssl req -new -key keycloak.key -out keycloak.csr

	Sign keycloak CSR using CA key to generate server certificate:
	$ openssl x509 -req -days 3650 -in keycloak.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out keycloak.crt

	Convert Keycloak cert to pkcs12 format:
	$ openssl pkcs12 -export -in keycloak.crt -inkey keycloak.key -out keycloak.p12 -name myserverkeystore -CAfile ca.crt

	Convert Keycloak pkcs12 file to Java keystore:
	$ keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore keycloak.keystore -srckeystore keycloak.p12 -srcstoretype PKCS12 -srcstorepass <password>


	CLIENT (browser)
	------------------
	Generate client server key:
	$ openssl genrsa -out client.key 2048

	Generate client certificate signing request:
	$ openssl req -new -key client.key -out client.csr

	Sign client CSR using CA key to generate server certificate:
	$ openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt

	Export client certificate to pkcs12 format:
	$ openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out clientCert.p12


	FINAL STEPS
	------------
	1. Import clientCert.p12 into browser
	2. Paste wildfly.keystore and ca.truststore into WILDFLY_HOME\standalone\configuration
	3. Paste keycloak.keystore and ca.truststore into KEYCLOAK_HOME\standalone\configuration
	4. Paste the following inside security-realms in WILDFLY_HOME\standalone\configuration\standalone.xml:
	<security-realm name="ssl-realm">
	<server-identities>
	<ssl>
	<keystore path="wildfly.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="myserverkeystore" key-password="<password>" />
	</ssl>
	</server-identities>
	<authentication>
	<truststore path="ca.truststore" relative-to="jboss.server.config.dir" keystore-password="<password>" />
	</authentication>
	</security-realm>
	5. Paste the following inside security-realms in KEYCLOAK_HOME\standalone\configuration\standalone.xml:
	<security-realm name="ssl-realm">
	<server-identities>
	<ssl>
	<keystore path="keycloak.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="myserverkeystore" key-password="<password>" />
	</ssl>
	</server-identities>
	<authentication>
	<truststore path="ca.truststore" relative-to="jboss.server.config.dir" keystore-password="<password>" />
	</authentication>
	</security-realm>
	6. Replace https-listener with the following in WildFly's and Keycloak's standalone.xml:
	<https-listener name="https" socket-binding="https" security-realm="ssl-realm" enable-http2="true" verify-client="REQUESTED" />
	7. Add the following properties to your app's keycloak.json:
	...
	"truststore": "C:\your\truststore\path\ca.truststore",
	"truststore-password": "<password>",
	...