[keycloak-dev] Keycloak PKI/Certificate Service Implementation

Bill Burke bburke at redhat.com
Tue May 26 08:43:55 EDT 2015


I want a facility in the admin console that can create and name one or 
more keypairs/certificates.  Then, we can assign these keypair/certs to 
various aspects.  i.e., Most protocols recommend different keypairs for 
encryption and signatures.  Some clients may want to use HMAC over RSA, etc.

On 5/26/2015 3:23 AM, Giriraj Sharma wrote:
> We're looking to provide a API to easily enable Key and Certificate
> Management to
> Keycloak-based applications. We may have a comprehensive PKI/Certificate
> service
> for KC so as to fulfill all key/certificate/JOSE requirements in future
> roadmap. This is a future
> consideration/idea and is not meant as a feature to be merged soon. It
> will be likely to hit KC master
> as and when the roadmap will require.
>
> The idea is turn a realm into a Certification Authority,
> responsible for issue, validate, revoke and renew certificates for the
> identity types
> (eg.: realms, users, applications etc) associated with it. Thus, realm
> will act
> as the root CA or realm's certificate(X509 v1) will be self signed and
> certificates(X509 v3) of
> identity types will be signed with realm's certificate.
>
> So, there will be a pki module with key and certificate authority which
> will be able to
> perform all key and certificate related functions and hence will be used
> as per requirements
> by identity types(eg.: realms, users, applications etc).
>
> In the future, we also want to provide:
> - RESTful Endpoints to perform not only certificate operations, but also
> manage keys.
> Specially public keys. Probably using JSON Web Keys (JWK).
> - Better support for HTML5 and mobile applications that require some
> kind of support for certificates,
> asymmetric keys, signature and encryption. Specially when using JWT and
> JOSE.
> - Support Java KeyStores to load and store keys.
>
> -Implementation of lets encrypt ACME Specification.
> -Support for JWS and JWE, if required.
>
> After some initial work, I think we have an initial design. Still have
> to think about,
> specially regarding the configuration and storage.
>
> Basically, what we have so far are two main components:
> CertificateAuthority and KeyAuthority.
> The first is about managing keys (eg.: RSA keys) for realm and identity
> types.
> The second one is about managing certificates using the keys for a
> particular type.
>
> We have Key and Certificate Authority which can be injected anywhere and
> be used accordingly.
> If CDI doesn't appears to be a good choice, then, we can probably
> directly use these services via method
> invocations :
>
>      @Inject
>      private KeyAuthority keyAuthority;
>
>      @Inject
>      private CertificateAuthority certificateAuthority;
>
> More information here :
> https://gist.github.com/girirajsharma/8d59a674a28560ca0a91
> First cut on my local keycloak pki branch :
> https://github.com/girirajsharma/keycloak/commit/89f20380ece48cbdbc6426ec98d32e4d0751bd29
>
> Cheers,
>
> --
> Giriraj Sharma
> about.me/girirajsharma
>
> <http://about.me/girirajsharma?promo=email_sig>
>
> Giriraj Sharma,
> Department of Computer Science
> National Institute of Technology Hamirpur
> Himachal Pradesh, India 177005
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list