Hi Bill - Checked it once again. It appears that the certificate is changing but the key is same across the keycloak instances as you mentioned. Not sure where the certificate will come into picture but I did further testing and can confirm that everything works the way it is supposed to across two instances on two hosts.

But is there any way we can upload our own certificate/key to Keycloak instead of having Keycloak generate it? Based on our client requirements, we may need to support different key strengths.

Thanks,

Raghu

From: Bill Burke <bburke@redhat.com>
To: keycloak-user@lists.jboss.org
Sent: Saturday, January 17, 2015 9:32 AM
Subject: Re: [keycloak-user] Signing Keys in a cluster

On 1/17/2015 8:54 AM, prab rrrr wrote:
> Hi,
>
> I am in the process of setting up a cluster of keycloak instances, all
> of which are accessible by a single url (fronted by a reverse proxy or
> an alias). So when a client application communicates with the single url
> using either SAML or Openid Connect, how do we ensure that all the
> keycloak instances use the same set of certificates/keys to sign/encrypt
> the SAML/OpenID Connect response?
>
> Noticed that we can generate a new set of keys for each realm within
> Keycloak instance but they are different across different instances. Is
> there a way of using the same certificate/keys across all the instances?

>

THat shouldn't be the case. There should be one key pair per realm.
Sounds like you aren't sharing the same database.

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user