I try to achieve what the Title says.
-
I started with LDAP: imported the CA Certificate from the LDAP-Server in a truststore.jks and by
--spi-truststore-file-*adding it to Keycloak. Works like a charm! -
Then I added the SMTP Configuration for my Mailserver i the Realm settings. The Mailserver has a certificate issued by a publicly trusted CA (Digicert). When testing the connection I get an error:
ERROR [org.keycloak.services.resources.admin.RealmAdminResource] (executor-thread-0) Failed to send email
javax.mail.MessagingException: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So Keycloak (or Java?) doesn’t trust the certificate of the Mailserver.
- Now I remove the truststore.jks from Keycloak and restart. And Voilà! The Connection test to the Mailserver succeeds! Only problem is now of course that the LDAP-Server Certificate is not trusted.
So I can have one of them, Mailserver or LDAP-Server. But not both at the same time. It seems as if Keycloak uses the truststore.jks for both. I would expect Keycloak to fall back to java or OS store for trusted CAs. I probably can import the Mailserver certificate in the truststore.jks. But why should I need to do that if the CA is Digicert?
Any advice?