<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div><span></span></div><div id="yui_3_16_0_1_1421550321056_2475">Hi Bill - Checked it once again. It appears that the certificate is changing but the key is same across the keycloak instances as you mentioned. Not sure where the certificate will come into picture but I did further testing and can confirm that everything works the way it is supposed to across two instances on two hosts.</div><div id="yui_3_16_0_1_1421550321056_2479"><br></div><div id="yui_3_16_0_1_1421550321056_2473" dir="ltr">But is there any way we can upload our own certificate/key to Keycloak instead of having Keycloak generate it? Based on our client requirements, we may need to support different key strengths.</div><div id="yui_3_16_0_1_1421550321056_2472" dir="ltr"><br></div><div id="yui_3_16_0_1_1421550321056_2471" dir="ltr">Thanks,</div><div id="yui_3_16_0_1_1421550321056_2470" dir="ltr">Raghu<br> </div><div id="yui_3_16_0_1_1421550321056_2399" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1421550321056_2398" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1421550321056_2468" dir="ltr"> <hr size="1" id="yui_3_16_0_1_1421550321056_2487"> <font id="yui_3_16_0_1_1421550321056_2469" face="Arial" size="2"> <b><span style="font-weight: bold;">From:</span></b> Bill Burke <bburke@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> keycloak-user@lists.jboss.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Saturday, January 17, 2015 9:32 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [keycloak-user] Signing Keys in a cluster<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1421550321056_2397"><br><div class="qtdSeparateBR"><br><br></div><div class="yqt8246010749" id="yqtfd60884"><br clear="none">On 1/17/2015 8:54 AM, prab rrrr wrote:<br clear="none">> Hi,<br clear="none">><br clear="none">> I am in the process of setting up a cluster of keycloak instances, all<br clear="none">> of which are accessible by a single url (fronted by a reverse proxy or<br clear="none">> an alias). So when a client application communicates with the single url<br clear="none">> using either SAML or Openid Connect, how do we ensure that all the<br clear="none">> keycloak instances use the same set of certificates/keys to sign/encrypt<br clear="none">> the SAML/OpenID Connect response?<br clear="none">><br clear="none">> Noticed that we can generate a new set of keys for each realm within<br clear="none">> Keycloak instance but they are different across different instances. Is<br clear="none">> there a way of using the same certificate/keys across all the instances?</div><br clear="none">><br clear="none"><br clear="none">THat shouldn't be the case. There should be one key pair per realm. <br clear="none">Sounds like you aren't sharing the same database.<br clear="none"><br clear="none"><br clear="none">-- <br clear="none">Bill Burke<br clear="none">JBoss, a division of Red Hat<br clear="none"><a href="http://bill.burkecentral.com/" target="_blank" shape="rect">http://bill.burkecentral.com</a><br clear="none">_______________________________________________<br clear="none">keycloak-user mailing list<br clear="none"><a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><div class="yqt8246010749" id="yqtfd05771"><br clear="none"></div><br><br></div> </div> </div> </div></body></html>