Re: [keycloak-dev] Requirements to Elytron for Client 2-way SSL authentication

> I'm not sure we really need to have any special integration with > Elytron. We just need to make sure that it can support certificate > chains the way we want to support it. I'm pretty sure EAP 6.x can > support what we want, read on... > > The certficate chain is available from the HttpServletRequest as per the > spec. I'm not exactly sure on the specifics, but all you need is one > "root" certificate in the web server's trust store. Then you could > conceivably create a trusted certificate chain as follows: > > 1) Organization root certificate. > > 2) Root cert signs Realm cert. > > 3) Realm cert signs client cert. > > Following me? My guess is that it would be really easy to issue our own > client certs and that we could have a Required Action that helped set > this up. > Yeah, so if we can just put root certificate in truststore at startup, it's easy. The issue might be if we want root CA to be added to truststore at "runtime" as Stian mentioned in other mail. Will try to doublecheck if it's possible.