Last active
February 17, 2023 08:47
-
-
Save gyfoster/4005353b1f063b92dd77798a6fbfc018 to your computer and use it in GitHub Desktop.
Instructions for enabling mutual SSL in Keycloak and WildFly
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ROOT CA | |
-------------- | |
Generate the CA private key: | |
$ openssl genrsa -out ca.key 2048 | |
Create and self sign the root certificate: | |
$ openssl req -new -x509 -key ca.key -out ca.crt | |
Import root CA certificate into truststore: | |
$ keytool -import -file ca.crt -keystore ca.truststore -keypass <password> -storepass <password> | |
WILDFLY | |
----------- | |
Generate wildfly server key: | |
$ openssl genrsa -out wildfly.key 2048 | |
Generate wildfly certificate signing request: | |
$ openssl req -new -key wildfly.key -out wildfly.csr | |
Sign wildfly CSR using CA key to generate server certificate: | |
$ openssl x509 -req -days 3650 -in wildfly.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out wildfly.crt | |
Convert WildFly cert to pkcs12 format: | |
$ openssl pkcs12 -export -in wildfly.crt -inkey wildfly.key -out wildfly.p12 -name myserverkeystore -CAfile ca.crt | |
Convert WildFly pkcs12 file to Java keystore: | |
$ keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore wildfly.keystore -srckeystore wildfly.p12 -srcstoretype PKCS12 -srcstorepass <password> | |
KEYCLOAK | |
------------- | |
Generate keycloak server key: | |
$ openssl genrsa -out keycloak.key 2048 | |
Generate keycloak certificate signing request: | |
$ openssl req -new -key keycloak.key -out keycloak.csr | |
Sign keycloak CSR using CA key to generate server certificate: | |
$ openssl x509 -req -days 3650 -in keycloak.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out keycloak.crt | |
Convert Keycloak cert to pkcs12 format: | |
$ openssl pkcs12 -export -in keycloak.crt -inkey keycloak.key -out keycloak.p12 -name myserverkeystore -CAfile ca.crt | |
Convert Keycloak pkcs12 file to Java keystore: | |
$ keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore keycloak.keystore -srckeystore keycloak.p12 -srcstoretype PKCS12 -srcstorepass <password> | |
CLIENT (browser) | |
------------------ | |
Generate client server key: | |
$ openssl genrsa -out client.key 2048 | |
Generate client certificate signing request: | |
$ openssl req -new -key client.key -out client.csr | |
Sign client CSR using CA key to generate server certificate: | |
$ openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt | |
Export client certificate to pkcs12 format: | |
$ openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out clientCert.p12 | |
FINAL STEPS | |
------------ | |
1. Import clientCert.p12 into browser | |
2. Paste wildfly.keystore and ca.truststore into WILDFLY_HOME\standalone\configuration | |
3. Paste keycloak.keystore and ca.truststore into KEYCLOAK_HOME\standalone\configuration | |
4. Paste the following inside security-realms in WILDFLY_HOME\standalone\configuration\standalone.xml: | |
<security-realm name="ssl-realm"> | |
<server-identities> | |
<ssl> | |
<keystore path="wildfly.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="myserverkeystore" key-password="<password>" /> | |
</ssl> | |
</server-identities> | |
<authentication> | |
<truststore path="ca.truststore" relative-to="jboss.server.config.dir" keystore-password="<password>" /> | |
</authentication> | |
</security-realm> | |
5. Paste the following inside security-realms in KEYCLOAK_HOME\standalone\configuration\standalone.xml: | |
<security-realm name="ssl-realm"> | |
<server-identities> | |
<ssl> | |
<keystore path="keycloak.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="myserverkeystore" key-password="<password>" /> | |
</ssl> | |
</server-identities> | |
<authentication> | |
<truststore path="ca.truststore" relative-to="jboss.server.config.dir" keystore-password="<password>" /> | |
</authentication> | |
</security-realm> | |
6. Replace https-listener with the following in WildFly's and Keycloak's standalone.xml: | |
<https-listener name="https" socket-binding="https" security-realm="ssl-realm" enable-http2="true" verify-client="REQUESTED" /> | |
7. Add the following properties to your app's keycloak.json: | |
... | |
"truststore": "C:\your\truststore\path\ca.truststore", | |
"truststore-password": "<password>", | |
... | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@malys Nice!