Keycloak 11.x - How to get Mutual Authentication to work for CAC Cert

Configuring the server
1

I’ve followed several guides. Most seem consistent. I’ve added a ssl-realm and https-listener as such…

        <security-realm name="ssl-realm">
            <server-identities>
                <ssl>
                    <keystore path="application.keystore"
                              relative-to="jboss.server.config.dir"
                              keystore-password="password"/>
                </ssl>
            </server-identities>
            <authentication>
                <truststore path="truststore-dod.jks"
                            relative-to="jboss.server.config.dir"
                            keystore-password="password"/>
            </authentication>
        </security-realm>
        <https-listener name="default" 
                 socket-binding="https" 
                 security-realm="ssl-realm" 
                 verify-client="REQUIRED"/>

I’ve configured a Realm’s Authentication for a x509/Validate Username Form (and without the Form). I’ve changed the Browser and Direct Grant Flow to the new Authentication Flow.

However the Browser is NEVER prompted to select my CAC’s certificate. I’m using keycloak in Docker Desktop and using docker cp to copy changes over to /opt/jboss/keycloak/standalone/configuration/standalone.xml and using the cli tool to restart.

To be honest I don’t see the connection between the Realm and the Listener. I suppose it’s built into the x509/Validate Username Form adapter, but in any case nothing seems to work.

Any help would be appreciated.

2

Here’s my recommendation:

  1. Use a docker volume bind so you can update your standalone.xml config file locally. Using docker-compose makes this easier for development.
  2. It seems the Realm and the SSL configs are separate, but Keycloak by default leverages JBoss / Wildfly underlying mutual TLS SSL engine to validate incoming client certificates. Once you enable verify-client it will prompt for a certificate on every connection made through Keycloak’s SSL port.
  3. Try using incognito mode on your browser. Sometimes, if you connect to a site and not provide a certificate, your browser will always default to that. Browsing in incognito mode will reset that and prompt you for your cert if verify-client is set to REQUESTED or REQUIRED.
  4. If setup correctly, navigating even to Keycloak’s admin page will prompt you for a valid certificate.