How to import a certificate (crt file) into keycloak?

Question

I'm configuring keycloak as an SP which is connecting to a PingFederate IDP.

I'd like to import the IDP's certificate file into keycloack so that the trust will succeed.

How do I import a crt file into keycloak?

Answer 1

This has been documented in the keycloak's site. https://www.keycloak.org/docs/3.3/server_installation/topics/network/outgoing.html

keytool -import -alias HOSTDOMAIN -keystore truststore.jks -file host-certificate.cer

The truststore is configured within the standalone.xml, standalone-ha.xml, or domain.xml file in your distribution. The location of this file depends on your operating mode.

<spi name="truststore">
    <provider name="file" enabled="true">
        <properties>
            <property name="file" value="path to your .jks file containing public certificates"/>
            <property name="password" value="password"/>
            <property name="hostname-verification-policy" value="WILDCARD"/>
            <property name="disabled" value="false"/>
        </properties>
    </provider>
</spi>

New link: https://www.keycloak.org/server/outgoinghttp#_outgoing_https_request_truststore

Answer 2

Keycloak looks to be built on top of the WildFly app server, which is a Java server. Haven't tried it, but I expect you just need to use keytool and import the crt into the Java trust store:

keytool -v -import -file file.crt  -alias idp -keystore <whatever keystore your Java process is using>

Keystore default location will depend on OS/java location, but once you do that and (perhaps) restart the Java process you should be good to go.

Answer 3

Navigate to the location of your keycloak.jks trust store (keycloak_install_dir/standalone/configuration)

Then import the .crt into that store using:

sudo keytool -v -importcert -file <your_cert>.crt -alias <whatever_alias_you_want> -keystore keycloak.jks -storepass <the_pw_for_keycloak.jks>