gyfoster/keycloak-wildfly-mutual-ssl.txt

## keycloak-wildfly-mutual-ssl.txt
ROOT CA
--------------
Generate the CA private key:
$ openssl genrsa -out ca.key 2048

Create and self sign the root certificate:
$ openssl req -new -x509 -key ca.key -out ca.crt

Import root CA certificate into truststore:
$ keytool -import -file ca.crt -keystore ca.truststore -keypass <password> -storepass <password>


WILDFLY
-----------
Generate wildfly server key:
$ openssl genrsa -out wildfly.key 2048

Generate wildfly certificate signing request:
$ openssl req -new -key wildfly.key -out wildfly.csr

Sign wildfly CSR using CA key to generate server certificate:
$ openssl x509 -req -days 3650 -in wildfly.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out wildfly.crt

Convert WildFly cert to pkcs12 format:
$ openssl pkcs12 -export -in wildfly.crt -inkey wildfly.key -out wildfly.p12 -name myserverkeystore -CAfile ca.crt

Convert WildFly pkcs12 file to Java keystore:
$ keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore wildfly.keystore -srckeystore wildfly.p12 -srcstoretype PKCS12 -srcstorepass <password>


KEYCLOAK
-------------
Generate keycloak server key:
$ openssl genrsa -out keycloak.key 2048

Generate keycloak certificate signing request:
$ openssl req -new -key keycloak.key -out keycloak.csr

Sign keycloak CSR using CA key to generate server certificate:
$ openssl x509 -req -days 3650 -in keycloak.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out keycloak.crt

Convert Keycloak cert to pkcs12 format:
$ openssl pkcs12 -export -in keycloak.crt -inkey keycloak.key -out keycloak.p12 -name myserverkeystore -CAfile ca.crt

Convert Keycloak pkcs12 file to Java keystore:
$ keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore keycloak.keystore -srckeystore keycloak.p12 -srcstoretype PKCS12 -srcstorepass <password>


CLIENT (browser)
------------------
Generate client server key:
$ openssl genrsa -out client.key 2048

Generate client certificate signing request:
$ openssl req -new -key client.key -out client.csr

Sign client CSR using CA key to generate server certificate:
$ openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt

Export client certificate to pkcs12 format:
$ openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out clientCert.p12


FINAL STEPS
------------
1. Import clientCert.p12 into browser
2. Paste wildfly.keystore and ca.truststore into WILDFLY_HOME\standalone\configuration
3. Paste keycloak.keystore and ca.truststore into KEYCLOAK_HOME\standalone\configuration
4. Paste the following inside security-realms in WILDFLY_HOME\standalone\configuration\standalone.xml:
    <security-realm name="ssl-realm">
      <server-identities>
        <ssl>
          <keystore path="wildfly.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="myserverkeystore" key-password="<password>" />
        </ssl>
      </server-identities>
      <authentication>
        <truststore path="ca.truststore" relative-to="jboss.server.config.dir" keystore-password="<password>" />
      </authentication>
    </security-realm>
5. Paste the following inside security-realms in KEYCLOAK_HOME\standalone\configuration\standalone.xml:
    <security-realm name="ssl-realm">
      <server-identities>
        <ssl>
          <keystore path="keycloak.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="myserverkeystore" key-password="<password>" />
        </ssl>
      </server-identities>
      <authentication>
        <truststore path="ca.truststore" relative-to="jboss.server.config.dir" keystore-password="<password>" />
      </authentication>
    </security-realm>
6. Replace https-listener with the following in WildFly's and Keycloak's standalone.xml:
    <https-listener name="https" socket-binding="https" security-realm="ssl-realm" enable-http2="true" verify-client="REQUESTED" />
7. Add the following properties to your app's keycloak.json:
    ...
    "truststore": "C:\your\truststore\path\ca.truststore",
    "truststore-password": "<password>",
    ...
	ROOT CA
	--------------
	Generate the CA private key:
	$ openssl genrsa -out ca.key 2048

	Create and self sign the root certificate:
	$ openssl req -new -x509 -key ca.key -out ca.crt

	Import root CA certificate into truststore:
	$ keytool -import -file ca.crt -keystore ca.truststore -keypass <password> -storepass <password>


	WILDFLY
	-----------
	Generate wildfly server key:
	$ openssl genrsa -out wildfly.key 2048

	Generate wildfly certificate signing request:
	$ openssl req -new -key wildfly.key -out wildfly.csr

	Sign wildfly CSR using CA key to generate server certificate:
	$ openssl x509 -req -days 3650 -in wildfly.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out wildfly.crt

	Convert WildFly cert to pkcs12 format:
	$ openssl pkcs12 -export -in wildfly.crt -inkey wildfly.key -out wildfly.p12 -name myserverkeystore -CAfile ca.crt

	Convert WildFly pkcs12 file to Java keystore:
	$ keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore wildfly.keystore -srckeystore wildfly.p12 -srcstoretype PKCS12 -srcstorepass <password>


	KEYCLOAK
	-------------
	Generate keycloak server key:
	$ openssl genrsa -out keycloak.key 2048

	Generate keycloak certificate signing request:
	$ openssl req -new -key keycloak.key -out keycloak.csr

	Sign keycloak CSR using CA key to generate server certificate:
	$ openssl x509 -req -days 3650 -in keycloak.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out keycloak.crt

	Convert Keycloak cert to pkcs12 format:
	$ openssl pkcs12 -export -in keycloak.crt -inkey keycloak.key -out keycloak.p12 -name myserverkeystore -CAfile ca.crt

	Convert Keycloak pkcs12 file to Java keystore:
	$ keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore keycloak.keystore -srckeystore keycloak.p12 -srcstoretype PKCS12 -srcstorepass <password>


	CLIENT (browser)
	------------------
	Generate client server key:
	$ openssl genrsa -out client.key 2048

	Generate client certificate signing request:
	$ openssl req -new -key client.key -out client.csr

	Sign client CSR using CA key to generate server certificate:
	$ openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt

	Export client certificate to pkcs12 format:
	$ openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out clientCert.p12


	FINAL STEPS
	------------
	1. Import clientCert.p12 into browser
	2. Paste wildfly.keystore and ca.truststore into WILDFLY_HOME\standalone\configuration
	3. Paste keycloak.keystore and ca.truststore into KEYCLOAK_HOME\standalone\configuration
	4. Paste the following inside security-realms in WILDFLY_HOME\standalone\configuration\standalone.xml:
	<security-realm name="ssl-realm">
	<server-identities>
	<ssl>
	<keystore path="wildfly.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="myserverkeystore" key-password="<password>" />
	</ssl>
	</server-identities>
	<authentication>
	<truststore path="ca.truststore" relative-to="jboss.server.config.dir" keystore-password="<password>" />
	</authentication>
	</security-realm>
	5. Paste the following inside security-realms in KEYCLOAK_HOME\standalone\configuration\standalone.xml:
	<security-realm name="ssl-realm">
	<server-identities>
	<ssl>
	<keystore path="keycloak.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="myserverkeystore" key-password="<password>" />
	</ssl>
	</server-identities>
	<authentication>
	<truststore path="ca.truststore" relative-to="jboss.server.config.dir" keystore-password="<password>" />
	</authentication>
	</security-realm>
	6. Replace https-listener with the following in WildFly's and Keycloak's standalone.xml:
	<https-listener name="https" socket-binding="https" security-realm="ssl-realm" enable-http2="true" verify-client="REQUESTED" />
	7. Add the following properties to your app's keycloak.json:
	...
	"truststore": "C:\your\truststore\path\ca.truststore",
	"truststore-password": "<password>",
	...