[keycloak-dev] Requirements to Elytron for Client 2-way SSL authentication

Bill Burke bburke at redhat.com
Thu Jul 16 08:40:11 EDT 2015

On 7/16/2015 4:20 AM, Marek Posolda wrote:
>> I'm not sure we really need to have any special integration with
>> Elytron.  We just need to make sure that it can support certificate
>> chains the way we want to support it.  I'm pretty sure EAP 6.x can
>> support what we want, read on...
>> The certficate chain is available from the HttpServletRequest as per the
>> spec.  I'm not exactly sure on the specifics, but all you need is one
>> "root" certificate in the web server's trust store.  Then you could
>> conceivably create a trusted certificate chain as follows:
>> 1) Organization root certificate.
>> 2) Root cert signs Realm cert.
>> 3) Realm cert signs client cert.
>> Following me?  My guess is that it would be really easy to issue our own
>> client certs and that we could have a Required Action that helped set
>> this up.
> Yeah, so if we can just put root certificate in truststore at startup,
> it's easy. The issue might be if we want root CA to be added to
> truststore at "runtime" as Stian mentioned in other mail. Will try to
> doublecheck if it's possible.

I don't know how well cert chains are supported.  I guess you'll find out :)

For client auth, shouldn't we just support the best practices and 
whatever the spec requires?  2-way SSL is a pain in the ass, wouldn't 
you be better off with PIN+OTP?  Much easier to set up and manage.

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list