[keycloak-user] Realm Certificate from commercial Vendors

Bill Burke bburke at redhat.com
Wed Jan 27 09:17:47 EST 2016 

You can upload client certs for saml clients, but I think we have a 
attribute size problem for large cert chains.

On 1/27/2016 5:17 AM, Stian Thorgersen wrote:
> We don't support uploading the realm keys through the admin console at 
> the moment. However, you should be able to use the admin endpoints to 
> manually set it. Should be relatively easy to add though, so you can 
> create a JIRA to request it, but you're actually the first to request it.
>
> With regards to clients we don't have an elegant way to deal with 
> this. What we have is if the public key is not specified in the client 
> config it will download it from Keycloak at startup, so if you restart 
> your clients after creating new keys it should work. Ideally Keycloak 
> should send a message to the clients to notify them that the keys have 
> changed so they can re-fetch from Keycloak, but that hasn't been 
> implemented yet. Again, feel free to request that.
>
> On 25 January 2016 at 11:50, Raghuram Prabhala <prabhalar at yahoo.com 
> <mailto:prabhalar at yahoo.com>> wrote:
>
>     Dev team - any comments on the commercial certificates instead of
>     the ones created by Keycloak?
>
>     Raghu
>
>     ------------------------------------------------------------------------
>     *From:* Raghuram Prabhala <prabhalar at yahoo.com
>     <mailto:prabhalar at yahoo.com>>
>     *To:* Keycloak-user <keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>     *Sent:* Thursday, January 21, 2016 2:23 PM
>     *Subject:* Realm Certificate from commercial Vendors
>
>
>     I have a question about the Certificate/private key which is
>     generated today by Keycloak. But rather than use that certificate
>     ,is there any way we can use a commercial Certificate from Vendors
>     like Verisign? When that certificate expires, how do we
>     generate/upload a new certificate (lifecycle) and handle the
>     switch over to a new certificate with minimal impact to any of the
>     client who will have to download the new certificate and use it
>     when KC starts using the new one?
>
>
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/72e80df3/attachment.html

More information about the keycloak-user mailing list