Our final goal with Keycloak is to allow x509 certificate based logins. Per the documentation this requires mTLS to be enabled. After completing the base configuration, which includes a User Federation via AD, getting SSL certs from our internal CA and installing them, and adding a client and verifying that the login works, I added our local CAs root certificate and our x509 certificate chain to a Java keystore, added the keystore to the configuration, and enabled mTLS. I can still login to the server but the client no longer allows the Keycloak login to work. Said client is Proxmox 8, which uses OpenID, and after enabling mTLS when I attempt to use the OpenID login realm(a Proxmox realm) I get the following error message: “OpenID redirect failed. Request failed (500)”.
The client OS(Debian) does have the internal CA root certificate set as trusted and, per Proxmox instructions, I also included it as part of the SSL cert .pem file when uploading it.
One thing I have done is to run the log at the TRACE level. Doing so then attempting the OpenID login again got me 283 lines of logs. Most are certificate listings, including the one for our internal CA, but the lines that caught my eye were at the end. It is mostly a java TRACE so I’ve only included the first few lines of that below.
2025-04-10 13:53:25,268 DEBUG [io.netty.handler.ssl.BouncyCastlePemReader] (vert.x-eventloop-thread-0) Bouncy Castle provider available
2025-04-10 13:53:25,279 DEBUG [io.netty.handler.ssl.BouncyCastlePemReader] (vert.x-eventloop-thread-0) Parsed PEM object of type org.bouncycastle.asn1.pkcs.PrivateKeyInfo and assume key is not encrypted
2025-04-10 13:53:25,352 DEBUG [io.netty.util.Recycler] (vert.x-eventloop-thread-0) -Dio.netty.recycler.maxCapacityPerThread: 4096
2025-04-10 13:53:25,353 DEBUG [io.netty.util.Recycler] (vert.x-eventloop-thread-0) -Dio.netty.recycler.ratio: 8
2025-04-10 13:53:25,353 DEBUG [io.netty.util.Recycler] (vert.x-eventloop-thread-0) -Dio.netty.recycler.chunkSize: 32
2025-04-10 13:53:25,353 DEBUG [io.netty.util.Recycler] (vert.x-eventloop-thread-0) -Dio.netty.recycler.blocking: false
2025-04-10 13:53:25,353 DEBUG [io.netty.util.Recycler] (vert.x-eventloop-thread-0) -Dio.netty.recycler.batchFastThreadLocalOnly: true
2025-04-10 13:53:25,387 TRACE [io.vertx.core.http.impl.HttpServerImpl] (vert.x-eventloop-thread-0) Connection failure: javax.net.ssl.SSLHandshakeException: Empty client certificate chain
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:370)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:317)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1157)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1144)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
Personally I’m wondering if the Keycloak realm keys have something to do with this but cannot find anything pointing towards that one way or the other. Nor can I find instructions or guidelines on creating a new set of realm keys using our internal CA(Windows server) to sign the certificate.
Edit: Added log lines