Download and import X.509 client certificate from Keycloak

Question

I set up the Keycloak 4.8.2-Final on my localhost and enabled the SSL as described in the document on https://www.keycloak.org/docs/latest/server_admin/index.html#_x509.

The server could start but I could not open the server page on the localhost:8443

openssl s_client -connect 127.0.0.1:8443

due to the SSL error code 42

4566025836:error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL alert number 42), which means that the client certificate problem. 

But my imagination was that the server should redirect me to the login page. After I logged in, the server should generate the client certificate and ask me to download the certification and import it to my browser. After that I should be able to connect to the server without any further authentication, because I already had the client certificate trusted by the Keycloak.

What did I do wrong? Or this process is not supported by the current keycloak yet?

Answer 1

According to the document it is not support to download and import the certificate after user input the user name and password. The first two steps are always:

A client sends an authentication request over SSL/TLS channel During SSL/TLS handshake, the server and the client exchange their x.509/v3 certificates

Therefore the configuration in the standalone.xml shall only be "REQUESTED". Without a real understanding I changed it to"REQUIRED" which asks always for client certificate. If the client does not have that, it fails. With "REQUESTED" the client certificate is just optional.

<subsystem xmlns="urn:jboss:domain:undertow:4.0">
    ....
    <server name="default-server">
        <https-listener name="default"
                        socket-binding="https"
                        security-realm="ssl-realm"
                        verify-client="REQUESTED"/>
    </server>
</subsystem>