<div dir="ltr">Please don't hijack a thread. These sound like two separate issues. Here we are talking about getting client adapter to connect to https protected Keycloak server - which requires that some truststore is used by HttpClient library used by adapter.<div><br></div><div>What you are talking about - realm keys - is something completely different, and has nothing to do with a truststore.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 19, 2016 at 3:10 PM, Jeremy Simon <span dir="ltr"><<a href="mailto:jeremy@jeremysimon.com" target="_blank">jeremy@jeremysimon.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hey there,<br>
<br>
I had asked about this a while ago too. Far as I know, the current<br>
implementation uses the jks for the HTTPS communication only. All<br>
realms generate their own key pair.<br>
<br>
Now to get around that, maybe you could export a realm to JSON, put in<br>
what you want for the key information and import it as a new realm or<br>
server configuration. That might be a little crazy. The more I<br>
thought about it, since the realm key pairs are for signing and<br>
encrypting the JWTs (or saml), that it's kinda nice you can hit a key<br>
and generate new ones in case of a compromise...or to keep stuff<br>
revolving.<br>
<br>
Hope that helps!<br>
<br>
jeremy<br>
<a href="mailto:jeremy@jeremysimon.com">jeremy@jeremysimon.com</a><br>
<a href="http://www.JeremySimon.com" rel="noreferrer" target="_blank">www.JeremySimon.com</a><br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On Fri, Feb 19, 2016 at 8:41 AM, Jérôme Revillard <<a href="mailto:jrevillard@gnubila.fr">jrevillard@gnubila.fr</a>> wrote:<br>
> Any advise for this please ?<br>
><br>
> Best,<br>
> Jerome<br>
><br>
><br>
> Le 17/02/2016 11:19, Jérôme Revillard a écrit :<br>
><br>
> Yes, it seems to be the case for the server, but not for the clients. See<br>
> the trustore config description here:<br>
> <a href="https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config" rel="noreferrer" target="_blank">https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config</a><br>
><br>
> Best,<br>
> Jerome<br>
><br>
> Le 17/02/2016 11:09, Bruno Oliveira a écrit :<br>
><br>
> I'm not sure if I got your question in the right way. But from my<br>
> understanding Java truststore is the standard fall back.<br>
><br>
> See item 3.2.5<br>
> <a href="https://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html" rel="noreferrer" target="_blank">https://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html</a><br>
><br>
> On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <<a href="mailto:jrevillard@gnubila.fr">jrevillard@gnubila.fr</a>><br>
> wrote:<br>
>><br>
>> Dear all,<br>
>><br>
>> I'm testing now a Keycloak server properly configured with https<br>
>> configuration.<br>
>> The server certificate is one which is already known by the default java<br>
>> trustore.<br>
>> Would it be possible to setup the keycloak.json adapter config to use<br>
>> this default java trustore ?<br>
>><br>
>> Best,<br>
>> Jerome<br>
>><br>
>> _______________________________________________<br>
>> keycloak-user mailing list<br>
>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div></div></blockquote></div><br></div>