Hi there,

I need to configure an identity provider (OIDC type). The token endpoint need to be called with mTLS.
I have access to two version of keycloak (v9 and v15), both of them are running inside K8s

As of now, I tried many things :

Each try do the same : handshake_failure. I received the certificate from the IDP server and keycloak just respond with (ssl:handshake debug) :

Produced client Certificate handshake message (
"Certificates": <empty list>

What do I need to configure to make keycloak respond with my client certificate to validate the handshake ?

Thank you all for helping me.

In case someone is facing the same issue, here is the solution :

  1. Create a keystore containing the client certificate and the key (protect this keystore with a password) :
openssl pkcs12 -export -in you-cert-fullchain.crt -inkey your-cert.key -out keystore.p12 -name your-cert
  1. Create a secret containing these keystore :
kubectl create secret generic client-certificate --from-file=keystore.p12

Modify your Deployment in order to mount this secret inside your workload.

  1. Edit your standalone config file
    In my case, I use specific actions.cli as my image is customized. At build time, a file containing actions is copy inside image. At launch time, these actions are run against the workload.
    Here is the actions to add the keystore :

1 Like

Thanks! This was really useful. After reading this I also found the related official docs: Server Installation and Configuration Guide

Another thing which is very useful to know is that if you use a PKCS12 (.p12 or .pfx) file as keystore, then you need to use the keystore password in both places. A PKCS12 keystore does not have a key password, only a keystore password, and without setting both properties.client-keystore-password and properties.client-key-password to the actual keystore password, you get into strange error messages related to crypto padding.

1 Like

Glad to have been helpful