I more or less meant the same :)
For the first/initial implementation:
Consider a use case :-
Company X uploads his keycloak-server.json to KC auth server.
As the user will upload/create a new realm, the realm will be initialized by auto-generated keys/certificates.
We do have keys tab in admin console for a realm. When admin will click upon keys, he will be shown his auto-generated keys/certificates.
Now, admin will have an option to either keep those keys/certs or else delete them and upload his own. It will provide upload/download functionality. These keys/certs will represent CA key/certs.
Talking about users, each user will be initialized with auto-generated keys/certs at the time of its creation.
While viewing an individual user for any specific realm in administrative console, we can have Keys View in addition to Attributes, Credentials, Role Mappings and Sessions.
Keys View (UI) will initially show auto generated keys/cert to the user where he can perform all CA operations.
Keys View (UI) will let user upload, download, retrieve, validate, revoke, renew(revoke+generate) and delete(optional) his keys/Certificates.
Once first class requirements are done, we can look forward to