<div dir="ltr">Acknowledged. Certificate/Key Configuration Authority will facilitate setting configuration for almost all config parameters( eg. key/cert signature algorithm, encryption algorithm, signature/secure random algorithm provider, bit length, validity etc.).</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 26, 2015 at 6:13 PM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I want a facility in the admin console that can create and name one or<br>
more keypairs/certificates. Then, we can assign these keypair/certs to<br>
various aspects. i.e., Most protocols recommend different keypairs for<br>
encryption and signatures. Some clients may want to use HMAC over RSA, etc.<br>
<div><div class="h5"><br>
On 5/26/2015 3:23 AM, Giriraj Sharma wrote:<br>
> We're looking to provide a API to easily enable Key and Certificate<br>
> Management to<br>
> Keycloak-based applications. We may have a comprehensive PKI/Certificate<br>
> service<br>
> for KC so as to fulfill all key/certificate/JOSE requirements in future<br>
> roadmap. This is a future<br>
> consideration/idea and is not meant as a feature to be merged soon. It<br>
> will be likely to hit KC master<br>
> as and when the roadmap will require.<br>
><br>
> The idea is turn a realm into a Certification Authority,<br>
> responsible for issue, validate, revoke and renew certificates for the<br>
> identity types<br>
> (eg.: realms, users, applications etc) associated with it. Thus, realm<br>
> will act<br>
> as the root CA or realm's certificate(X509 v1) will be self signed and<br>
> certificates(X509 v3) of<br>
> identity types will be signed with realm's certificate.<br>
><br>
> So, there will be a pki module with key and certificate authority which<br>
> will be able to<br>
> perform all key and certificate related functions and hence will be used<br>
> as per requirements<br>
> by identity types(eg.: realms, users, applications etc).<br>
><br>
> In the future, we also want to provide:<br>
> - RESTful Endpoints to perform not only certificate operations, but also<br>
> manage keys.<br>
> Specially public keys. Probably using JSON Web Keys (JWK).<br>
> - Better support for HTML5 and mobile applications that require some<br>
> kind of support for certificates,<br>
> asymmetric keys, signature and encryption. Specially when using JWT and<br>
> JOSE.<br>
> - Support Java KeyStores to load and store keys.<br>
><br>
> -Implementation of lets encrypt ACME Specification.<br>
> -Support for JWS and JWE, if required.<br>
><br>
> After some initial work, I think we have an initial design. Still have<br>
> to think about,<br>
> specially regarding the configuration and storage.<br>
><br>
> Basically, what we have so far are two main components:<br>
> CertificateAuthority and KeyAuthority.<br>
> The first is about managing keys (eg.: RSA keys) for realm and identity<br>
> types.<br>
> The second one is about managing certificates using the keys for a<br>
> particular type.<br>
><br>
> We have Key and Certificate Authority which can be injected anywhere and<br>
> be used accordingly.<br>
> If CDI doesn't appears to be a good choice, then, we can probably<br>
> directly use these services via method<br>
> invocations :<br>
><br>
> @Inject<br>
> private KeyAuthority keyAuthority;<br>
><br>
> @Inject<br>
> private CertificateAuthority certificateAuthority;<br>
><br>
> More information here :<br>
> <a href="https://gist.github.com/girirajsharma/8d59a674a28560ca0a91" target="_blank">https://gist.github.com/girirajsharma/8d59a674a28560ca0a91</a><br>
> First cut on my local keycloak pki branch :<br>
> <a href="https://github.com/girirajsharma/keycloak/commit/89f20380ece48cbdbc6426ec98d32e4d0751bd29" target="_blank">https://github.com/girirajsharma/keycloak/commit/89f20380ece48cbdbc6426ec98d32e4d0751bd29</a><br>
><br>
> Cheers,<br>
><br>
> --<br>
> Giriraj Sharma<br>
> <a href="http://about.me/girirajsharma" target="_blank">about.me/girirajsharma</a><br>
><br>
</div></div>> <<a href="http://about.me/girirajsharma?promo=email_sig" target="_blank">http://about.me/girirajsharma?promo=email_sig</a>><br>
<span class="">><br>
> Giriraj Sharma,<br>
> Department of Computer Science<br>
> National Institute of Technology Hamirpur<br>
> Himachal Pradesh, India 177005<br>
><br>
><br>
</span>> _______________________________________________<br>
> keycloak-dev mailing list<br>
> <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><font color="#888888"><div><table border="0" cellpadding="0" cellspacing="0" style="margin:0px;padding:0px;border:0px;outline:0px;font-size:14px;font-family:proxima-nova-1,proxima-nova-2,Tahoma,Helvetica,Verdana,sans-serif;vertical-align:baseline;border-spacing:0px;color:rgb(51,51,51);line-height:18.2000007629395px"><tbody style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td style="padding:0px;border:0px;outline:0px;font-style:inherit;font-size:0px;font-family:inherit;vertical-align:baseline;width:auto;height:30px"> </td></tr><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td style="padding:0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:baseline;width:auto"><div style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;line-height:0"><a href="http://about.me/girirajsharma?promo=email_sig" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;color:rgb(58,169,233);text-decoration:none;display:inline-block" target="_blank"><table border="0" cellpadding="0" cellspacing="0" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;border-spacing:0px"><tbody style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td align="left" valign="top" style="padding:0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:top;width:auto;line-height:1"><div style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:bold;font-style:inherit;font-size:18px;font-family:proxima-nova-1,Proxima-Nova,Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:1;color:rgb(51,51,51)">Giriraj Sharma</div><div style="margin:3px 0px 0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-size:12px;font-family:proxima-nova-1,Proxima-Nova,Helvetica,Arial,sans-serif;vertical-align:baseline;color:rgb(43,130,173)">about.me/girirajsharma</div></td></tr><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td align="left" valign="top" style="padding:8px 0px 0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:top;width:auto;line-height:1"><div style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;text-align:right;height:4px;background-color:rgb(197,208,224)"><img src="http://d13pix9kaak6wt.cloudfront.net/signature/colorbar.png" width="88" alt="" height="4" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;float:right;display:block"></div></td></tr></tbody></table></a> </div></td></tr><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td style="padding:0px;border:0px;outline:0px;font-style:inherit;font-size:0px;font-family:inherit;vertical-align:baseline;width:auto;height:20px"> </td></tr></tbody></table>Giriraj Sharma, </div><div>Department of Computer Science </div><div>National Institute of Technology Hamirpur </div><div>Himachal Pradesh, India 177005<br></div></font></div></div></div></div>
</div>