<div dir="ltr">HI Marek,<div><br></div><div>I am basically looking after following high level use cases:</div><div><span style="color:rgb(51,51,51);font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;font-size:14px;line-height:17px;white-space:pre-wrap"> * Create root CA and configure KC server</span></div><div><span class="" style="color:rgb(51,51,51);font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;font-size:14px;line-height:17px;white-space:pre-wrap"> </span><span class="" style="color:rgb(51,51,51);font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;font-size:14px;line-height:17px;white-space:pre-wrap">* Create chained realm CA</span></div><div><span style="color:rgb(51,51,51);font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;font-size:14px;line-height:17px;white-space:pre-wrap"> * Create cert for clients - and configure a WAR that uses it to auth the client</span></div><div><span class="" style="color:rgb(51,51,51);font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;font-size:14px;line-height:17px;white-space:pre-wrap"> </span><span class="" style="color:rgb(51,51,51);font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;font-size:14px;line-height:17px;white-space:pre-wrap">* Create cert for user</span></div><div><span class="" style="color:rgb(51,51,51);font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;font-size:14px;line-height:17px;white-space:pre-wrap"><br></span></div><div><span class="" style="color:rgb(51,51,51);font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;font-size:14px;line-height:17px;white-space:pre-wrap"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal"><span style="font-size:12.8000001907349px"><u>We may have an abstract Keycloak CA which will simply act as the root CA. Certs of realms, users and clients will be signed via this root CA private key. Keycloak ssl will be configured with Keycloak abstract CA keys and certificates in standalone.xml . </u></span><span style="font-size:12.8000001907349px"><u>Users will import their pkcs#12 or .pfx format of certificate and key into their browsers to enable mutual ssl auth. </u></span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal"><span style="font-size:12.8000001907349px"><u><br></u></span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal"><span style="font-size:12.8000001907349px"><u>Admins will have ability to upload the root CA certificate/keys. In such a case, certs of realms, users and clients will be signed via the uploaded root CA's keys.</u></span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal"><span style="font-size:12.8000001907349px"><br></span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal"><h6 style="padding:0px;font-size:1em;margin:1em 0px 0.1em;color:rgb(0,0,0);font-family:Arial,Helvetica,FreeSans,sans-serif">Configure Keycloak/WildFly SSL</h6><div style="color:black;padding:0px;margin:0px 0px 10px;border:1px dashed rgb(187,187,187);overflow:auto;border-radius:5px;font-family:Arial,Helvetica,FreeSans,sans-serif;font-size:13.3333330154419px;line-height:17.3333339691162px;background-image:initial;background-repeat:initial"><div style="color:rgb(51,51,51);margin:0px;padding:0px 10px;font-size:0.95em;background:none"><div style="width:919px;margin:1em 0px!important;overflow:auto!important;font-size:1em!important"><table border="0" cellpadding="0" cellspacing="0" style="clear:left;width:919px;font-size:1em!important;line-height:1.2em!important;border-radius:0px!important;border:0px!important;float:none!important;height:auto!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;min-height:inherit!important;background:none!important"><tbody style="border-radius:0px!important;border:0px!important;float:none!important;height:auto!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-size:1em!important;min-height:inherit!important;background:none!important"><tr style="font-size:1em!important;line-height:1.2em!important;border-radius:0px!important;border:0px!important;float:none!important;height:auto!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;min-height:inherit!important;background:none!important"><td style="width:919px;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;line-height:1.2em!important;border:0px dashed!important;overflow:visible!important;border-radius:0px!important;float:none!important;height:auto!important;outline:0px!important;padding:0px!important;vertical-align:baseline!important;min-height:inherit!important;background-image:none!important;background-repeat:initial!important"><div title="Hint: double-click to select code" style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px 0px 0px 0em!important;vertical-align:baseline!important;width:auto!important;font-size:1em!important;min-height:inherit!important;white-space:pre-wrap!important;background:none!important"><div style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px 1em 0px 0em!important;vertical-align:baseline!important;width:auto!important;font-size:1em!important;min-height:inherit!important;background-image:none!important;background-repeat:initial!important"><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important"><</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-weight:bold!important;font-size:1em!important;min-height:inherit!important;color:rgb(51,102,153)!important;background:none!important">subsystem</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">xmlns</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"urn:jboss:domain:web:1.1"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">default-virtual-server</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"default-host"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">native</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"true"</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">></code></div><div style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px 1em 0px 0em!important;vertical-align:baseline!important;width:auto!important;font-size:1em!important;min-height:inherit!important;background-image:none!important;background-repeat:initial!important"><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;background:none!important"> </code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important"><</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-weight:bold!important;font-size:1em!important;min-height:inherit!important;color:rgb(51,102,153)!important;background:none!important">connector</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">name</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"http"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">protocol</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"HTTP/1.1"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">scheme</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"http"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">socket-binding</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"http"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">redirect-port</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"443"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">/></code></div><div style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px 1em 0px 0em!important;vertical-align:baseline!important;width:auto!important;font-size:1em!important;min-height:inherit!important;background-image:none!important;background-repeat:initial!important"> </div><div style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px 1em 0px 0em!important;vertical-align:baseline!important;width:auto!important;font-size:1em!important;min-height:inherit!important;background-image:none!important;background-repeat:initial!important"><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;background:none!important"> </code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important"><</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-weight:bold!important;font-size:1em!important;min-height:inherit!important;color:rgb(51,102,153)!important;background:none!important">connector</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">name</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"https"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">scheme</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"https"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">protocol</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"HTTP/1.1"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">socket-binding</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"https"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">enable-lookups</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"false"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">secure</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"true"</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">></code></div><div style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px 1em 0px 0em!important;vertical-align:baseline!important;width:auto!important;font-size:1em!important;min-height:inherit!important;background-image:none!important;background-repeat:initial!important"><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;background:none!important"> </code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important"><</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-weight:bold!important;font-size:1em!important;min-height:inherit!important;color:rgb(51,102,153)!important;background:none!important">ssl</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">name</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"foo-ssl"</code> <code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">password</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"secret"</code> <span style="font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal;background-color:initial"><font color="#666666">Keycloak-abstract-CA</font></span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal;background-color:initial">-</span><code style="font-size:1em!important;line-height:1.2em!important;border-radius:0px!important;border:0px!important;float:none!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">certificate-key-file</code><code style="font-size:1em!important;line-height:1.2em!important;border-radius:0px!important;border:0px!important;float:none!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="font-size:1em!important;line-height:1.2em!important;border-radius:0px!important;border:0px!important;float:none!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"../standalone/configuration/foo.pem"</code><span style="font-size:1em;line-height:1.2em;background-color:initial"> </span><span style="color:rgb(102,102,102);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal;background-color:initial">Keycloak-abstract-CA-</span><code style="font-size:1em!important;line-height:1.2em!important;border-radius:0px!important;border:0px!important;float:none!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;min-height:inherit!important;color:rgb(128,128,128)!important;background:none!important">certificate-file</code><code style="font-size:1em!important;line-height:1.2em!important;border-radius:0px!important;border:0px!important;float:none!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">=</code><code style="font-size:1em!important;line-height:1.2em!important;border-radius:0px!important;border:0px!important;float:none!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;min-height:inherit!important;color:rgb(0,51,102)!important;background:none!important">"../standalone/configuration/foo-cert.pem"</code><code style="font-size:1em!important;line-height:1.2em!important;border-radius:0px!important;border:0px!important;float:none!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">/></code></div><div style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px 1em 0px 0em!important;vertical-align:baseline!important;width:auto!important;font-size:1em!important;min-height:inherit!important;background-image:none!important;background-repeat:initial!important"><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;background:none!important"> </code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important"></</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-weight:bold!important;font-size:1em!important;min-height:inherit!important;color:rgb(51,102,153)!important;background:none!important">connector</code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">></code></div><div style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px 1em 0px 0em!important;vertical-align:baseline!important;width:auto!important;font-size:1em!important;min-height:inherit!important;background-image:none!important;background-repeat:initial!important"><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;background:none!important"> </code><code style="border-radius:0px!important;border:0px!important;float:none!important;line-height:1.2em!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;font-family:Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important;font-size:1em!important;min-height:inherit!important;color:rgb(0,0,0)!important;background:none!important">...</code></div></div></td></tr></tbody></table></div></div></div></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal"><span style="font-size:12.8000001907349px"><br></span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal;white-space:normal"><span style="font-size:12.8000001907349px"><u>So,In general, standalone.xml can be configured via Keycloak abstract CA's cert and key and users can import their pkcs#12 format into their browsers. I still need to dig around how to configure client war for client mutual SSL authentication with KC server.</u></span></div></span></div><div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 14, 2015 at 11:47 PM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I want to doublecheck if we are on the same page regarding how client<br>
certificate authentication should work, so we know what are the<br>
requirements for Elytron<br>
to support it. This will allow us to improve things before the Elytron<br>
code freeze (end of August AFAIK) if needed.<br>
<br>
Right now, I am covering just Service accounts and authenticating of<br>
clients with the certificate. But I believe that for authenticate of<br>
users, the requirements will be similar.<br>
<br>
My view is:<br>
- Admin will upload certificate of some client via Keycloak admin<br>
console. (I guess many companies want to use their own certificate<br>
issued by their trusted CA. IMO later Keycloak should provide the<br>
ability to easily generate trusted certificates and act as CA - not sure<br>
if it's something Giriraj is looking at. But for now, I assume that<br>
trusted certificate is always provided by admin and uploaded to Keycloak<br>
admin console)<br>
<br>
- There is REST endpoint, which allows to authenticate with client<br>
certificate. For example<br>
"<a href="https://localhost:8443/auth/realms/demo/clients/certificate" rel="noreferrer" target="_blank">https://localhost:8443/auth/realms/demo/clients/certificate</a>" . Client<br>
will be able to start SSL handshake with it's certificate when sending<br>
request to this endpoint. Server will then verify the underlying<br>
SSLSession from the SSL socket and check that valid client certificate<br>
was provided during handshake. It will authenticate client based on that.<br>
<br>
<br>
To cover this usecase, the Wildfly/Elytron should be able to:<br>
<br>
1) Support "variable" 2-way SSL . In other words, there is possibility<br>
to set flag "setWantClientAuth(true)" in underlying SSLServerSocket.<br>
This means that I will be able to access admin console<br>
"<a href="https://localhost:8443/auth/admin" rel="noreferrer" target="_blank">https://localhost:8443/auth/admin</a>" with my browser without client<br>
certificate, but I will be able to provide client certificate on the<br>
endpoint "<a href="https://localhost:8443/auth/realms/demo/clients/certificate" rel="noreferrer" target="_blank">https://localhost:8443/auth/realms/demo/clients/certificate</a>" ,<br>
which is deployed under same context<br>
<br>
2) Dynamically upload it's truststore at runtime or provide SPI to<br>
add/remove/update certificates in truststore. This is needed, so that<br>
when admin uploads the certificate of client in KC admin console, I want<br>
my client to be able to authenticate with the certificate immediatelly<br>
without need to restart server and edit any JKS files .<br>
<br>
3) Possibility to access underlying SSL Socket and SSL Session from the<br>
REST endpoint, so I am able to verify the certificate in REST endpoint<br>
(but maybe this one could be handled with our server subsystem if it's<br>
not available for normal apps?)<br>
<br>
WDYT? Am I missing something?<br>
<br>
Marek<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><font color="#888888"><div><table border="0" cellpadding="0" cellspacing="0" style="margin:0px;padding:0px;border:0px;outline:0px;font-size:14px;font-family:proxima-nova-1,proxima-nova-2,Tahoma,Helvetica,Verdana,sans-serif;vertical-align:baseline;border-spacing:0px;color:rgb(51,51,51);line-height:18.2000007629395px"><tbody style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td style="padding:0px;border:0px;outline:0px;font-style:inherit;font-size:0px;font-family:inherit;vertical-align:baseline;width:auto;height:30px"> </td></tr><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td style="padding:0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:baseline;width:auto"><div style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;line-height:0"><a href="http://about.me/girirajsharma?promo=email_sig" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;color:rgb(58,169,233);text-decoration:none;display:inline-block" target="_blank"><table border="0" cellpadding="0" cellspacing="0" style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;border-spacing:0px"><tbody style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td align="left" valign="top" style="padding:0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:top;width:auto;line-height:1"><div style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:bold;font-style:inherit;font-size:18px;font-family:proxima-nova-1,Proxima-Nova,Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:1;color:rgb(51,51,51)">Giriraj Sharma</div><div style="margin:3px 0px 0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-size:12px;font-family:proxima-nova-1,Proxima-Nova,Helvetica,Arial,sans-serif;vertical-align:baseline;color:rgb(43,130,173)">about.me/girirajsharma</div></td></tr><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td align="left" valign="top" style="padding:8px 0px 0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:top;width:auto;line-height:1"><div style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline;text-align:right;height:4px;background-color:rgb(197,208,224)"><img src="http://d13pix9kaak6wt.cloudfront.net/signature/colorbar.png" width="88" alt="" height="4" style="margin: 0px; padding: 0px; border: 0px; outline: 0px; font-weight: inherit; font-style: inherit; font-family: inherit; vertical-align: baseline; float: right; display: block;"></div></td></tr></tbody></table></a> </div></td></tr><tr style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;font-style:inherit;font-family:inherit;vertical-align:baseline"><td style="padding:0px;border:0px;outline:0px;font-style:inherit;font-size:0px;font-family:inherit;vertical-align:baseline;width:auto;height:20px"> </td></tr></tbody></table>Giriraj Sharma, </div><div>Department of Computer Science </div><div>National Institute of Technology Hamirpur </div><div>Himachal Pradesh, India 177005<br></div></font></div></div></div></div>
</div></div></div>