[keycloak-dev] Requirements to Elytron for Client 2-way SSL authentication

Bill Burke bburke at redhat.com
Thu Jul 16 08:40:11 EDT 2015



On 7/16/2015 4:20 AM, Marek Posolda wrote:
>> I'm not sure we really need to have any special integration with
>> Elytron.  We just need to make sure that it can support certificate
>> chains the way we want to support it.  I'm pretty sure EAP 6.x can
>> support what we want, read on...
>>
>> The certficate chain is available from the HttpServletRequest as per the
>> spec.  I'm not exactly sure on the specifics, but all you need is one
>> "root" certificate in the web server's trust store.  Then you could
>> conceivably create a trusted certificate chain as follows:
>>
>> 1) Organization root certificate.
>>
>> 2) Root cert signs Realm cert.
>>
>> 3) Realm cert signs client cert.
>>
>> Following me?  My guess is that it would be really easy to issue our own
>> client certs and that we could have a Required Action that helped set
>> this up.
>>
> Yeah, so if we can just put root certificate in truststore at startup,
> it's easy. The issue might be if we want root CA to be added to
> truststore at "runtime" as Stian mentioned in other mail. Will try to
> doublecheck if it's possible.
>

I don't know how well cert chains are supported.  I guess you'll find out :)


For client auth, shouldn't we just support the best practices and 
whatever the spec requires?  2-way SSL is a pain in the ass, wouldn't 
you be better off with PIN+OTP?  Much easier to set up and manage.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list