[keycloak-dev] Requirements to Elytron for Client 2-way SSL authentication
bburke at redhat.com
Thu Jul 16 08:40:11 EDT 2015
On 7/16/2015 4:20 AM, Marek Posolda wrote:
>> I'm not sure we really need to have any special integration with
>> Elytron. We just need to make sure that it can support certificate
>> chains the way we want to support it. I'm pretty sure EAP 6.x can
>> support what we want, read on...
>> The certficate chain is available from the HttpServletRequest as per the
>> spec. I'm not exactly sure on the specifics, but all you need is one
>> "root" certificate in the web server's trust store. Then you could
>> conceivably create a trusted certificate chain as follows:
>> 1) Organization root certificate.
>> 2) Root cert signs Realm cert.
>> 3) Realm cert signs client cert.
>> Following me? My guess is that it would be really easy to issue our own
>> client certs and that we could have a Required Action that helped set
>> this up.
> Yeah, so if we can just put root certificate in truststore at startup,
> it's easy. The issue might be if we want root CA to be added to
> truststore at "runtime" as Stian mentioned in other mail. Will try to
> doublecheck if it's possible.
I don't know how well cert chains are supported. I guess you'll find out :)
For client auth, shouldn't we just support the best practices and
whatever the spec requires? 2-way SSL is a pain in the ass, wouldn't
you be better off with PIN+OTP? Much easier to set up and manage.
JBoss, a division of Red Hat
More information about the keycloak-dev