<div dir="ltr"><div>We're looking to provide a API to easily enable Key and Certificate Management to </div><div>Keycloak-based applications. We may have a comprehensive PKI/Certificate service</div><div>for KC so as to fulfill all key/certificate/JOSE requirements in future roadmap. This is a future</div><div>consideration/idea and is not meant as a feature to be merged soon. It will be likely to hit KC master</div><div>as and when the roadmap will require.</div><div><br></div><div>The idea is turn a realm into a Certification Authority, </div><div>responsible for issue, validate, revoke and renew certificates for the identity types </div><div>(eg.: realms, users, applications etc) associated with it. Thus, realm will act </div><div>as the root CA or realm's certificate(X509 v1) will be self signed and certificates(X509 v3) of </div><div>identity types will be signed with realm's certificate.</div><div><br></div><div>So, there will be a pki module with key and certificate authority which will be able to </div><div>perform all key and certificate related functions and hence will be used as per requirements </div><div>by identity types(eg.: realms, users, applications etc).</div><div><br></div><div>In the future, we also want to provide:</div><div>- RESTful Endpoints to perform not only certificate operations, but also manage keys. </div><div>Specially public keys. Probably using JSON Web Keys (JWK).</div><div>- Better support for HTML5 and mobile applications that require some kind of support for certificates, </div><div>asymmetric keys, signature and encryption. Specially when using JWT and JOSE.</div><div>- Support Java KeyStores to load and store keys.</div><div><br></div><div>-Implementation of lets encrypt ACME Specification.</div><div>-Support for JWS and JWE, if required.</div><div><br></div><div>After some initial work, I think we have an initial design. Still have to think about,</div><div>specially regarding the configuration and storage.</div><div><br></div><div>Basically, what we have so far are two main components: CertificateAuthority and KeyAuthority.</div><div>The first is about managing keys (eg.: RSA keys) for realm and identity types.</div><div>The second one is about managing certificates using the keys for a particular type.</div><div><br></div><div>We have Key and Certificate Authority which can be injected anywhere and be used accordingly. </div><div>If CDI doesn't appears to be a good choice, then, we can probably directly use these services via method</div><div>invocations : </div><div><br></div><div> @Inject</div><div> private KeyAuthority keyAuthority;</div><div><br></div><div> @Inject</div><div> private CertificateAuthority certificateAuthority;</div><div><br></div><div>More information here : <a href="https://gist.github.com/girirajsharma/8d59a674a28560ca0a91">https://gist.github.com/girirajsharma/8d59a674a28560ca0a91</a></div><div>First cut on my local keycloak pki branch : <a href="https://github.com/girirajsharma/keycloak/commit/89f20380ece48cbdbc6426ec98d32e4d0751bd29">https://github.com/girirajsharma/keycloak/commit/89f20380ece48cbdbc6426ec98d32e4d0751bd29</a></div><div><br></div><div>Cheers,</div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><font color="#888888"><div><table border="0" cellpadding="0" cellspacing="0" style="margin:0px;padding:0px;border:0px;outline:0px;font-size:14px;font-family:proxima-nova-1,proxima-nova-2,Tahoma,Helvetica,Verdana,sans-serif;vertical-align:baseline;border-spacing:0px;color:rgb(51,51,51);line-height:18.2000007629395px"><tbody style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td style="padding:0px;border:0px;outline:0px;font-style:inherit;font-size:0px;font-family:inherit;vertical-align:baseline;width:auto;height:30px"> </td></tr><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td style="padding:0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:baseline;width:auto"><div style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;line-height:0"><a href="http://about.me/girirajsharma?promo=email_sig" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;color:rgb(58,169,233);text-decoration:none;display:inline-block" target="_blank"><table border="0" cellpadding="0" cellspacing="0" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;border-spacing:0px"><tbody style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td align="left" valign="top" style="padding:0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:top;width:auto;line-height:1"><div style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:bold;font-style:inherit;font-size:18px;font-family:proxima-nova-1,Proxima-Nova,Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:1;color:rgb(51,51,51)">Giriraj Sharma</div><div style="margin:3px 0px 0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-size:12px;font-family:proxima-nova-1,Proxima-Nova,Helvetica,Arial,sans-serif;vertical-align:baseline;color:rgb(43,130,173)">about.me/girirajsharma</div></td></tr><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td align="left" valign="top" style="padding:8px 0px 0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:top;width:auto;line-height:1"><div style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;text-align:right;height:4px;background-color:rgb(197,208,224)"><img src="http://d13pix9kaak6wt.cloudfront.net/signature/colorbar.png" width="88" alt="" height="4" style="margin: 0px; padding: 0px; border: 0px; outline: 0px; font-weight: inherit; font-style: inherit; font-family: inherit; vertical-align: baseline; float: right; display: block;"></div></td></tr></tbody></table></a> </div></td></tr><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td style="padding:0px;border:0px;outline:0px;font-style:inherit;font-size:0px;font-family:inherit;vertical-align:baseline;width:auto;height:20px"> </td></tr></tbody></table>Giriraj Sharma, </div><div>Department of Computer Science </div><div>National Institute of Technology Hamirpur </div><div>Himachal Pradesh, India 177005<br></div></font></div></div></div></div>
</div>