To support first/initial cut of certificate management for realm users, we can have  keys and X509 Certificate generation for each individual user at the time of its creation. This will imply for realm admin too.

While viewing an individual user for any specific realm in administrative console, we can have Keys View in addition to Attributes, Credentials, Role Mappings and Sessions. Keys View (UI) will let user retrieve, validate, revoke, renew(revoke+generate) and delete(optional) his keys/Certificates.

If it makes sense, I shall start working around it.

--