6:10 a.m.
It worked for me, now I can login with Facebook.
I had to export 3 root CA's from the default java cacerts keystore, them
import them into my keystore.
This is not the best way to fix the problem, but until we don't have a
flag on keycloak to indicate we want to use both our keystore and java
keystore this will work.
Certificates to export:
digicertglobalrootca
digicertassuredidrootca
digicerthighassuranceevrootca
How to export:
keytool -exportcert -alias digicertglobalrootca -keystore cacerts -file
jboss/ssl/default-jdk/digicertglobalrootca.crt
keytool -exportcert -alias digicertassuredidrootca -keystore cacerts -file
jboss/ssl/default-jdk/digicertassuredidrootca.crt
keytool -exportcert -alias digicertglobalrootca -keystore cacerts -file
jboss/ssl/default-jdk/digicerthighassuranceevrootca.crt
How to import into another keystore:
keytool -import -trustcacerts -alias digicertglobalrootca -keystore
jboss/ssl/eap-des1.yyy.com.br.keystore.jks -file
jboss/ssl/default-jdk/digicertglobalrootca.crt
keytool -import -trustcacerts -alias digicertassuredidrootca -keystore
jboss/ssl/eap-des1.yyy.com.br.keystore.jks -file
jboss/ssl/default-jdk/digicertassuredidrootca.crt
keytool -import -trustcacerts -alias digicerthighassuranceevrootca
-keystore jboss/ssl/eap-des1.yyy.com.br.keystore.jks -file
jboss/ssl/default-jdk/digicerthighassuranceevrootca.crt
On 12/02/16 08:44, "Marko Strukelj" <mstrukel(a)redhat.com> wrote:
We could add such a flag, don't know how hard it would be to
implement.
In principle I agree about CA cert updates. But they are many, and for
your customized truststore you may add only a few, and for big-name
services. If CAs are revoked, then your integration will stop working
as those services will start using new certs that you don't have in
your truststore.
It's quite unlikely OTOH to notice one of the 100 trusted-by-default
CA that you never connect to, that can one day be used to forge a
certificate for one of the services that you do use - that one you
won't notice until you update Java.
________________________________
Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
você não for o destinatário ou a pessoa autorizada a receber esta
mensagem, não poderá usar, copiar ou divulgar as informações nela
contidas ou tomar qualquer ação baseada nessas informações. Se você
recebeu esta mensagem por engano, por favor avise imediatamente o
remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua
cooperação.
This message may contain confidential and/or privileged information. If
you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based on
this message or any information herein. If you have received this message
in error, please advise the sender immediately by reply e-mail and delete
this message. Thank you for your cooperation