Hi there,
I need to configure an identity provider (OIDC type). The token endpoint need to be called with mTLS.
I have access to two version of keycloak (v9 and v15), both of them are running inside K8s
As of now, I tried many things :
Each try do the same : handshake_failure. I received the certificate from the IDP server and keycloak just respond with (ssl:handshake debug) :
Produced client Certificate handshake message (
"Certificates": <empty list>
)
What do I need to configure to make keycloak respond with my client certificate to validate the handshake ?
Thank you all for helping me.
In case someone is facing the same issue, here is the solution :
- Create a keystore containing the client certificate and the key (protect this keystore with a password) :
openssl pkcs12 -export -in you-cert-fullchain.crt -inkey your-cert.key -out keystore.p12 -name your-cert
- Create a secret containing these keystore :
kubectl create secret generic client-certificate --from-file=keystore.p12
Modify your Deployment in order to mount this secret inside your workload.
- Edit your standalone config file
In my case, I use specific actions.cli as my image is customized. At build time, a file containing actions is copy inside image. At launch time, these actions are run against the workload.
Here is the actions to add the keystore :
/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.client-keystore,value=/the/path_to_the/keystore.p12)
/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.client-keystore-password,value="THE_PASSWORD")
/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.client-key-password,value="THE_PASSWORD")
2 Likes
Thanks! This was really useful. After reading this I also found the related official docs: Server Installation and Configuration Guide
Another thing which is very useful to know is that if you use a PKCS12 (.p12 or .pfx) file as keystore, then you need to use the keystore password in both places. A PKCS12 keystore does not have a key password, only a keystore password, and without setting both properties.client-keystore-password and properties.client-key-password to the actual keystore password, you get into strange error messages related to crypto padding.
1 Like
Glad to have been helpful