Skip to content

Instantly share code, notes, and snippets.

@gyfoster
Last active February 17, 2023 08:47
Show Gist options
  • Save gyfoster/4005353b1f063b92dd77798a6fbfc018 to your computer and use it in GitHub Desktop.
Save gyfoster/4005353b1f063b92dd77798a6fbfc018 to your computer and use it in GitHub Desktop.
Instructions for enabling mutual SSL in Keycloak and WildFly
ROOT CA
--------------
Generate the CA private key:
$ openssl genrsa -out ca.key 2048
Create and self sign the root certificate:
$ openssl req -new -x509 -key ca.key -out ca.crt
Import root CA certificate into truststore:
$ keytool -import -file ca.crt -keystore ca.truststore -keypass <password> -storepass <password>
WILDFLY
-----------
Generate wildfly server key:
$ openssl genrsa -out wildfly.key 2048
Generate wildfly certificate signing request:
$ openssl req -new -key wildfly.key -out wildfly.csr
Sign wildfly CSR using CA key to generate server certificate:
$ openssl x509 -req -days 3650 -in wildfly.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out wildfly.crt
Convert WildFly cert to pkcs12 format:
$ openssl pkcs12 -export -in wildfly.crt -inkey wildfly.key -out wildfly.p12 -name myserverkeystore -CAfile ca.crt
Convert WildFly pkcs12 file to Java keystore:
$ keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore wildfly.keystore -srckeystore wildfly.p12 -srcstoretype PKCS12 -srcstorepass <password>
KEYCLOAK
-------------
Generate keycloak server key:
$ openssl genrsa -out keycloak.key 2048
Generate keycloak certificate signing request:
$ openssl req -new -key keycloak.key -out keycloak.csr
Sign keycloak CSR using CA key to generate server certificate:
$ openssl x509 -req -days 3650 -in keycloak.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out keycloak.crt
Convert Keycloak cert to pkcs12 format:
$ openssl pkcs12 -export -in keycloak.crt -inkey keycloak.key -out keycloak.p12 -name myserverkeystore -CAfile ca.crt
Convert Keycloak pkcs12 file to Java keystore:
$ keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore keycloak.keystore -srckeystore keycloak.p12 -srcstoretype PKCS12 -srcstorepass <password>
CLIENT (browser)
------------------
Generate client server key:
$ openssl genrsa -out client.key 2048
Generate client certificate signing request:
$ openssl req -new -key client.key -out client.csr
Sign client CSR using CA key to generate server certificate:
$ openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
Export client certificate to pkcs12 format:
$ openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out clientCert.p12
FINAL STEPS
------------
1. Import clientCert.p12 into browser
2. Paste wildfly.keystore and ca.truststore into WILDFLY_HOME\standalone\configuration
3. Paste keycloak.keystore and ca.truststore into KEYCLOAK_HOME\standalone\configuration
4. Paste the following inside security-realms in WILDFLY_HOME\standalone\configuration\standalone.xml:
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="wildfly.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="myserverkeystore" key-password="<password>" />
</ssl>
</server-identities>
<authentication>
<truststore path="ca.truststore" relative-to="jboss.server.config.dir" keystore-password="<password>" />
</authentication>
</security-realm>
5. Paste the following inside security-realms in KEYCLOAK_HOME\standalone\configuration\standalone.xml:
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keycloak.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="myserverkeystore" key-password="<password>" />
</ssl>
</server-identities>
<authentication>
<truststore path="ca.truststore" relative-to="jboss.server.config.dir" keystore-password="<password>" />
</authentication>
</security-realm>
6. Replace https-listener with the following in WildFly's and Keycloak's standalone.xml:
<https-listener name="https" socket-binding="https" security-realm="ssl-realm" enable-http2="true" verify-client="REQUESTED" />
7. Add the following properties to your app's keycloak.json:
...
"truststore": "C:\your\truststore\path\ca.truststore",
"truststore-password": "<password>",
...
@gyfoster
Copy link
Author

gyfoster commented Sep 13, 2019

@malys Nice!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment