Browser not prompting for X.509 certificate

Hi guys,

I’m trying to configure keycloak to authenticate users with X.509 certificates according to the documentation and this youtube tutorial

I’m fairly certain I have all the settings correct according to both sources, but when I click “Sign In” on the client account Console, I just get prompted for a username and password.

If I disable the “X.509 Browser Forms” execution and just leave the “X509/Validate Username Form” execution enabled, I instead get an “Invalid username or password” error. But this, regardless, proves that the correct flow is being used.

I can’t see any relevant entries in the logs or the browser tools network tab.

I’m running the latest Keycloak in a custom Docker container based on Debian 11. Keycloak is running in production mode on port 8443, using self-signed TLS, and not running through a reverse proxy.

Hope someone can help.

1.) Verify that TLS announces client cert support:

$ openssl s_client -connect <keycloak-host:tls-port>
...
Acceptable client certificate CA names
...

2.) Your browser needs to have access to client cert(s) issued by Acceptable client certificate CA names from the previous step. Each browser/OS has own procedure for that. Browser may have also own setting of the prompting for X.509 certs. Make sure, you have correct configuration for that.

Hey, there may be another reason if it doesn’t work in incognito mode.
As from chrome 81+ you have to add additional registry flag, otherwise it really shows a prompt of user and password.