<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Courier New, courier, monaco, monospace, sans-serif;font-size:13px"><div id="yui_3_16_0_1_1454328911294_6165"><span id="yui_3_16_0_1_1454328911294_6183">Thanks Bill and Stian. Will look at the admin endpoints to handle the upload of certificates. Really surprised that this feature wasn't requested yet - created a jira kc2422</span></div><div class="qtdSeparateBR" id="yui_3_16_0_1_1454328911294_6150"><br></div><div class="yahoo_quoted" id="yui_3_16_0_1_1454328911294_6095" style="display: block;"> <div style="font-family: Courier New, courier, monaco, monospace, sans-serif; font-size: 13px;" id="yui_3_16_0_1_1454328911294_6094"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1454328911294_6093"> <div dir="ltr" id="yui_3_16_0_1_1454328911294_6092"> <font size="2" face="Arial" id="yui_3_16_0_1_1454328911294_6091"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Bill Burke <bburke@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> keycloak-user@lists.jboss.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, January 27, 2016 9:17 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [keycloak-user] Realm Certificate from commercial Vendors<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1454328911294_6256"><br><div id="yiv7912106960"><div id="yui_3_16_0_1_1454328911294_6257">
You can upload client certs for saml clients, but I think we have a
attribute size problem for large cert chains.<br clear="none">
<br clear="none">
<div class="yiv7912106960moz-cite-prefix" id="yui_3_16_0_1_1454328911294_6266">On 1/27/2016 5:17 AM, Stian Thorgersen
wrote:<br clear="none">
</div>
<blockquote type="cite" id="yui_3_16_0_1_1454328911294_6259">
<div dir="ltr" id="yui_3_16_0_1_1454328911294_6258">We don't support uploading the realm keys through
the admin console at the moment. However, you should be able to
use the admin endpoints to manually set it. Should be relatively
easy to add though, so you can create a JIRA to request it, but
you're actually the first to request it.<br clear="none">
<div id="yui_3_16_0_1_1454328911294_6260"><br clear="none">
</div>
<div id="yui_3_16_0_1_1454328911294_6261">With regards to clients we don't have an elegant way to
deal with this. What we have is if the public key is not
specified in the client config it will download it from
Keycloak at startup, so if you restart your clients after
creating new keys it should work. Ideally Keycloak should send
a message to the clients to notify them that the keys have
changed so they can re-fetch from Keycloak, but that hasn't
been implemented yet. Again, feel free to request that.</div>
</div>
<div class="yiv7912106960gmail_extra" id="yui_3_16_0_1_1454328911294_6262"><br clear="none">
<div class="yiv7912106960gmail_quote" id="yui_3_16_0_1_1454328911294_7512">On 25 January 2016 at 11:50, Raghuram
Prabhala <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:prabhalar@yahoo.com" target="_blank" href="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>></span>
wrote:<br clear="none">
<blockquote class="yiv7912106960gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div>
<div style="color:#000;background-color:#fff;font-family:Courier New, courier, monaco, monospace, sans-serif;font-size:13px;">
<div><span>Dev team - any comments on the commercial
certificates instead of the ones created by
Keycloak?</span></div>
<div><span><br clear="none">
</span></div>
<div><span>Raghu</span></div>
<div><br clear="none">
</div>
<div style="display:block;">
<div class="yiv7912106960hm yiv7912106960HOEnZb"> </div>
<div style="font-family:Courier New, courier, monaco, monospace, sans-serif;font-size:13px;">
<div class="yiv7912106960hm yiv7912106960HOEnZb"> </div>
<div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
<div class="yiv7912106960hm yiv7912106960HOEnZb">
<div dir="ltr"> <font size="2" face="Arial">
</font><hr size="1"> <b><span style="font-weight:bold;">From:</span></b>
Raghuram Prabhala <<a rel="nofollow" shape="rect" ymailto="mailto:prabhalar@yahoo.com" target="_blank" href="mailto:prabhalar@yahoo.com"></a><a rel="nofollow" shape="rect" class="yiv7912106960moz-txt-link-abbreviated" ymailto="mailto:prabhalar@yahoo.com" target="_blank" href="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>><br clear="none">
<b><span style="font-weight:bold;">To:</span></b>
Keycloak-user <<a rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" target="_blank" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>>
<br clear="none">
<b><span style="font-weight:bold;">Sent:</span></b>
Thursday, January 21, 2016 2:23 PM<br clear="none">
<b><span style="font-weight:bold;">Subject:</span></b>
Realm Certificate from commercial Vendors<br clear="none">
</div>
</div>
<span class="yiv7912106960">
</span><div><br clear="none">
<div>
<div>
<div style="color:#000;background-color:#fff;font-family:Courier New, courier, monaco, monospace, sans-serif;font-size:13px;">
<div><br clear="none">
</div>
<div>I have a question about the
Certificate/private key which is
generated today by Keycloak. But
rather than use that certificate ,is
there any way we can use a commercial
Certificate from Vendors like
Verisign? When that certificate
expires, how do we generate/upload a
new certificate (lifecycle) and handle
the switch over to a new certificate
with minimal impact to any of the
client who will have to download the
new certificate and use it when KC
starts using the new one?</div>
<div dir="ltr"><br clear="none">
</div>
<div dir="ltr"><br clear="none">
</div>
</div>
</div>
</div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</div>
<br clear="none">
_______________________________________________<br clear="none">
keycloak-user mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" target="_blank" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><div class="yiv7912106960yqt5276523993" id="yiv7912106960yqtfd66240"><br clear="none">
</div></blockquote><div class="yiv7912106960yqt5276523993" id="yiv7912106960yqtfd83387">
</div></div><div class="yiv7912106960yqt5276523993" id="yiv7912106960yqtfd07884">
<br clear="none">
</div></div><div class="yiv7912106960yqt5276523993" id="yiv7912106960yqtfd61648">
<br clear="none">
<fieldset class="yiv7912106960mimeAttachmentHeader"></fieldset>
<br clear="none">
<pre>_______________________________________________
keycloak-user mailing list
<a rel="nofollow" shape="rect" class="yiv7912106960moz-txt-link-abbreviated" ymailto="mailto:keycloak-user@lists.jboss.org" target="_blank" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a rel="nofollow" shape="rect" class="yiv7912106960moz-txt-link-freetext" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre></div>
</blockquote>
<br clear="none">
<pre class="yiv7912106960moz-signature">--
Bill Burke
JBoss, a division of Red Hat
<a rel="nofollow" shape="rect" class="yiv7912106960moz-txt-link-freetext" target="_blank" href="http://bill.burkecentral.com/">http://bill.burkecentral.com</a></pre><div class="yiv7912106960yqt5276523993" id="yiv7912106960yqtfd29137">
</div></div></div><br><div class="yqt5276523993" id="yqtfd98407">_______________________________________________<br clear="none">keycloak-user mailing list<br clear="none"><a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none"><a shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div><br><br></div> </div> </div> </div></div></body></html>