import SAML keys via command line - keycloak-user - Jboss List Archives

2025

January

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

import SAML keys via command line

Disabling User Account Service

Keycloak client user federation...

Pieter Lukasse

Tuesday, 19 September 2017 Tue, 19 Sep '17

5:43 a.m.

Hi, I have a .jks file which I would like to import into keycloak using the command line instead of the "SAML keys" page (in SAML client config page). I cannot find any command for this here http://www.keycloak.org/ docs/3.3/server_admin/topics/admin-cli.html Is this just missing or is the documentation incomplete? Can someone help me on this one? Thanks, Pieter www.thehyve.nl E pieter(a)thehyve.nl T +31(0)30 700 9713 M +31(0)6 28 18 9540 Skype pieter.lukasse We empower scientists by building on open source software

Reply

Show replies by date

John Dennis

Tuesday, 19 September Tue, 19 Sep

10:24 a.m.

On 09/19/2017 06:43 AM, Pieter Lukasse wrote:

Hi, I have a .jks file which I would like to import into keycloak using the command line instead of the "SAML keys" page (in SAML client config page). I cannot find any command for this here http://www.keycloak.org/ docs/3.3/server_admin/topics/admin-cli.html Is this just missing or is the documentation incomplete? Can someone help me on this one?

You can import using the Java keytool utility, but the import format MUST be PKCS12. Note: replace xxx, key.pem & cert.pem with appropriate values, hopefully it should be obvious which xxx matches in each command. First create a .p12 PKCS12 file: % openssl pkcs12 -export -name xxx -passout pass:xxx -in cert.pem -inkey key.pem -out xxx.p12 Then import the .p12 PKCS12 file into the keystore: % keytool -importkeystore -srckeystore xxx.p12 -srcstoretype PKCS12 -srcstorepass xxx -destkeystore keycloak.jks -deststorepass xxx -alias xxx -- John

Reply

John Dennis

12:04 p.m.

On 09/19/2017 11:24 AM, John Dennis wrote:

On 09/19/2017 06:43 AM, Pieter Lukasse wrote: > Hi, > > I have a .jks file which I would like to import into keycloak using the > command line instead of the "SAML keys" page (in SAML client config page). > > I cannot find any command for this here http://www.keycloak.org/ > docs/3.3/server_admin/topics/admin-cli.html > > Is this just missing or is the documentation incomplete? Can someone help > me on this one? You can import using the Java keytool utility, but the import format MUST be PKCS12. Note: replace xxx, key.pem & cert.pem with appropriate values, hopefully it should be obvious which xxx matches in each command. First create a .p12 PKCS12 file: % openssl pkcs12 -export -name xxx -passout pass:xxx -in cert.pem -inkey key.pem -out xxx.p12 Then import the .p12 PKCS12 file into the keystore: % keytool -importkeystore -srckeystore xxx.p12 -srcstoretype PKCS12 -srcstorepass xxx -destkeystore keycloak.jks -deststorepass xxx -alias xxx

I may have misread your original question, I thought you were asking how to import a key. But if all you want to do is import the contents of another JAVA keystore then just use -importkeystore -srckeystore JKS. The keytool man page has keystore import examples, including both importing an entire keystore or juast a specific key from the keystore. See the man page for details. -- John

Reply

Pieter Lukasse

Wednesday, 20 September Wed, 20 Sep

4:14 a.m.

Hi John, thanks for your replies. I might have cause some confusion by not stating the question clearly. I did have a screenshot in my initial post, but this is apparently not allowed...so I will try with words :) I am referring to the process of importing SAML keys when you are using the Administration console (from your browser). Go to "Clients" menu item, select a SAML client, and then click on "SAML Keys" tab. There you can import the keys. Now I am looking for a command line alternative for this, so I don't have to use the web page. Thanks, Pieter www.thehyve.nl E pieter(a)thehyve.nl T +31(0)30 700 9713 M +31(0)6 28 18 9540 Skype pieter.lukasse We empower scientists by building on open source software 2017-09-19 19:04 GMT+02:00 John Dennis <jdennis(a)redhat.com>:

On 09/19/2017 11:24 AM, John Dennis wrote: > On 09/19/2017 06:43 AM, Pieter Lukasse wrote: > >> Hi, >> >> I have a .jks file which I would like to import into keycloak using the >> command line instead of the "SAML keys" page (in SAML client config >> page). >> >> I cannot find any command for this here http://www.keycloak.org/ >> docs/3.3/server_admin/topics/admin-cli.html >> >> Is this just missing or is the documentation incomplete? Can someone help >> me on this one? >> > > You can import using the Java keytool utility, but the import format > MUST be PKCS12. > > Note: replace xxx, key.pem & cert.pem with appropriate values, hopefully > it should be obvious which xxx matches in each command. > > First create a .p12 PKCS12 file: > > % openssl pkcs12 -export -name xxx -passout pass:xxx -in cert.pem -inkey > key.pem -out xxx.p12 > > Then import the .p12 PKCS12 file into the keystore: > > % keytool -importkeystore -srckeystore xxx.p12 -srcstoretype PKCS12 > -srcstorepass xxx -destkeystore keycloak.jks -deststorepass xxx -alias xxx > I may have misread your original question, I thought you were asking how to import a key. But if all you want to do is import the contents of another JAVA keystore then just use -importkeystore -srckeystore JKS. The keytool man page has keystore import examples, including both importing an entire keystore or juast a specific key from the keystore. See the man page for details. -- John

Reply

John Dennis

8:34 a.m.

On 09/20/2017 05:14 AM, Pieter Lukasse wrote:

Hi John, thanks for your replies. I might have cause some confusion by not stating the question clearly. I did have a screenshot in my initial post, but this is apparently not allowed...so I will try with words :) I am referring to the process of importing SAML keys when you are using the Administration console (from your browser). Go to "Clients" menu item, select a SAML client, and then click on "SAML Keys" tab. There you can import the keys. Now I am looking for a command line alternative for this, so I don't have to use the web page.

O.K., keys used for SAML SP signing and encryption are a different story. I can't tell you how Keycloak stores these internally nor should you be dependent on whatever the current implementation. You mentioned a JAVA keystore, but that's just one possibility, plus you would have to know how Keycloak manages the key names (including key rotation). You should stick to using Keycloaks defined interfaces. The standard way SAML SP keys are imported to an IdP is by loading the SP's metadata which contains the key(s). You can do this either with the Web UI, the client registration protocol, or with the REST API. The later two can be done from the command line if you have the proper tooling to communicate with the Keycloak endpoints. I've written code that does exactly this. Or you can use the REST API to update the client representation directly in lieu of using metadata. The Keycloak team has done some work on providing a command line administration tool but I'm not sure of the status of that effort. But one question I'm left with is why you're changing an SP keys so often this is actually a burden. (Or similarly why you're not using metadata). -- John

Reply

2674

days inactive

2675

days old

keycloak-user@lists.jboss.org

Manage subscription

4 comments

2 participants

tags (0)

participants (2)

John Dennis
Pieter Lukasse