[keycloak-dev] Keycloak PKI/Certificate Service Implementation

Giriraj Sharma giriraj.sharma27 at gmail.com
Tue May 26 08:57:29 EDT 2015


Acknowledged. Certificate/Key Configuration Authority will facilitate
setting configuration for almost all config parameters( eg. key/cert
signature algorithm, encryption algorithm, signature/secure random
algorithm provider, bit length, validity etc.).

On Tue, May 26, 2015 at 6:13 PM, Bill Burke <bburke at redhat.com> wrote:

> I want a facility in the admin console that can create and name one or
> more keypairs/certificates.  Then, we can assign these keypair/certs to
> various aspects.  i.e., Most protocols recommend different keypairs for
> encryption and signatures.  Some clients may want to use HMAC over RSA,
> etc.
>
> On 5/26/2015 3:23 AM, Giriraj Sharma wrote:
> > We're looking to provide a API to easily enable Key and Certificate
> > Management to
> > Keycloak-based applications. We may have a comprehensive PKI/Certificate
> > service
> > for KC so as to fulfill all key/certificate/JOSE requirements in future
> > roadmap. This is a future
> > consideration/idea and is not meant as a feature to be merged soon. It
> > will be likely to hit KC master
> > as and when the roadmap will require.
> >
> > The idea is turn a realm into a Certification Authority,
> > responsible for issue, validate, revoke and renew certificates for the
> > identity types
> > (eg.: realms, users, applications etc) associated with it. Thus, realm
> > will act
> > as the root CA or realm's certificate(X509 v1) will be self signed and
> > certificates(X509 v3) of
> > identity types will be signed with realm's certificate.
> >
> > So, there will be a pki module with key and certificate authority which
> > will be able to
> > perform all key and certificate related functions and hence will be used
> > as per requirements
> > by identity types(eg.: realms, users, applications etc).
> >
> > In the future, we also want to provide:
> > - RESTful Endpoints to perform not only certificate operations, but also
> > manage keys.
> > Specially public keys. Probably using JSON Web Keys (JWK).
> > - Better support for HTML5 and mobile applications that require some
> > kind of support for certificates,
> > asymmetric keys, signature and encryption. Specially when using JWT and
> > JOSE.
> > - Support Java KeyStores to load and store keys.
> >
> > -Implementation of lets encrypt ACME Specification.
> > -Support for JWS and JWE, if required.
> >
> > After some initial work, I think we have an initial design. Still have
> > to think about,
> > specially regarding the configuration and storage.
> >
> > Basically, what we have so far are two main components:
> > CertificateAuthority and KeyAuthority.
> > The first is about managing keys (eg.: RSA keys) for realm and identity
> > types.
> > The second one is about managing certificates using the keys for a
> > particular type.
> >
> > We have Key and Certificate Authority which can be injected anywhere and
> > be used accordingly.
> > If CDI doesn't appears to be a good choice, then, we can probably
> > directly use these services via method
> > invocations :
> >
> >      @Inject
> >      private KeyAuthority keyAuthority;
> >
> >      @Inject
> >      private CertificateAuthority certificateAuthority;
> >
> > More information here :
> > https://gist.github.com/girirajsharma/8d59a674a28560ca0a91
> > First cut on my local keycloak pki branch :
> >
> https://github.com/girirajsharma/keycloak/commit/89f20380ece48cbdbc6426ec98d32e4d0751bd29
> >
> > Cheers,
> >
> > --
> > Giriraj Sharma
> > about.me/girirajsharma
> >
> > <http://about.me/girirajsharma?promo=email_sig>
> >
> > Giriraj Sharma,
> > Department of Computer Science
> > National Institute of Technology Hamirpur
> > Himachal Pradesh, India 177005
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>



-- 

Giriraj Sharma
about.me/girirajsharma
<http://about.me/girirajsharma?promo=email_sig>
 Giriraj Sharma,
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India 177005
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150526/e3ddfa33/attachment.html 


More information about the keycloak-dev mailing list