I am trying to create a client in keycloak that use “X509 Certificate” as the client authenticator (check image 1 below)
I tried this in flowing steps:
- enable the mTLS and set trustore file for keycloak by set below options
https-client-auth=request
https-trust-store-file=
https-trust-store-password= - generate a new key in keycloak admin console and save the p12 file on local(check image 2 below)
- get the client certificate from the p12 file generated in step 2 and import it to the trust store file
- restart keycloak to make keycloak reload the trust store file
- use the p12 (contains private key and client certificate) file generated in step 2 to talk to keycloak to fetch a token in client_credentials flow.
I can get a token successfully in step 5, my question is did I do it right? Every time I create a new client with “X509 Certificate” client authenticator I need to import the client’s certificate to the trust store and restart keycloak? I don’t think it make sense that it need to restart keycloak to make the new created client work, and actually keycloak will save the client certificate after I click the “Generate new keys” button in admin console UI, why I still need to import it it to trust store file?
It’s very appreciated if someone can tell me I was doing it wrong and give me the right solution, thanks a lot.