Adding RootCA (internal) to Keystore for Outgoing TLS

Blue777 · May 15, 2024, 4:06am

Keycloak is running in docker. I’ve gone into the container and added my RootCA and my ADFS cert to the java keystore, that was mounted in a docker volume. I’m a little confused on how to get keycloak to trust my ADFS cert.

docker run -p 8080:8080 -p 8443:8443 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -v keycloak:/opt/keycloak/data/h2 -v kc_certs:/opt/keycloak/conf/ -v kc_truststore:/opt/truststore -e KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/keycloak.pem -e KC_HOSTNAME=keycloak.lab.local -e KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/keycloak.key -e KC_TLS_HOSTNAME_VERIFIER=ANY -e KC_TRUSTSTORE_PATH=/opt/truststore/ quay.io/keycloak/keycloak:latest start-dev --http-relative-path /auth

No matter what I do when I try to hit the ADFS URL for the saml entity descriptor, I get this:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

dasniko · May 15, 2024, 4:32am

The env var is KC_TRUSTSTORE_PATHS not KC_TRUSTSTORE_PATH, so, an S is missing.

And further, from the docs:

List of pkcs12 (p12 or pfx file extensions), PEM files, or directories containing those files that will be used as a system truststore.

So you have to specify not only a directory, but a list of paths to all cert files which should be considered for the truststore.

Topic		Replies	Views
Keycloak on Docker using SAML2.0	9	3438	October 26, 2020
Facing issue for LDAPS connection from keycloak running on docker as non root user Getting advice	0	392	February 28, 2024
Truststore in KC 17 Quarkus for LDAPS/TLS Configuring the server	11	7481	April 26, 2023
Connect keycloak to LDAP over SSL Configuring the server ldap	21	35373	October 3, 2024
Keycloak Connecting to MSAD LDAP Over SSL Configuring the server ldap	14	19706	February 24, 2022

Adding RootCA (internal) to Keystore for Outgoing TLS

Related topics