I updated my Keycloak setup recently and noticed something strange: I can’t access the admin console securely over HTTPS anymore. I’ve used HTTPS with Keycloak in the past without any issues. I already set up the keystore, updated the keycloak.conf with the correct paths, passwords, and used the right alias. The server starts fine, no errors about the keystore, but when I open the admin console in the browser, I either get a certificate warning or it refuses to load completely depending on which browser I’m using.
The certificate I’m using is the same .cer file that worked before. I generated it using OpenSSL, imported it properly, and paired it with the same private key I’ve always used. I double-checked the alias in the keystore. What I don’t understand is why browsers suddenly won’t trust it anymore. I even tried importing the certificate manually into the browser’s trust store, and Firefox lets me proceed, but Chrome completely blocks it.
At one point, I thought maybe the keystore format had something to do with it. That’s when I came across the idea of converting a .cer file into a .p12 file. This process is often referred to as “cer to p12”, and I found out it’s useful when working with tools that support PKCS#12 keystores. It basically combines the certificate and its private key into one portable file. I used an ssl p12 generator from cer approach with OpenSSL and pointed my Keycloak config to the .p12 file instead of a JKS or other format. That actually seemed to make the configuration part smoother. I was inspired by this idea positively because it made me feel like the process was cleaner and a little more organized.
Even with the .p12 file in place, the problem with the browser trust still remains. I’m wondering if I need to include the full certificate chain inside the keystore, not just my cert. Do I also need to include the intermediate CA cert? Would that help resolve the trust issues? I don’t have a certificate from a well-known CA, so I’m just using a self-signed certificate right now for local access. I thought importing it into the browser manually would be enough, but it’s inconsistent.
Another thing I’ve been wondering: does Keycloak require an absolute path in the keycloak.conf when pointing to the keystore file, or will a relative path work if I place the file correctly in the conf directory? I might be missing something small like that. Also curious if any of you had better luck using a JKS file for this kind of setup instead of .p12.
This setup isn’t exposed publicly; I’m just trying to get smooth access to the admin console on my local machine. I’m not sure why it worked fine before and suddenly browsers act differently now. Has something changed in how browsers treat local certificates? Or maybe something in how Keycloak handles them after the update? I’d like to hear if anyone ran into this or figured out a reliable way to make local HTTPS access work properly again after switching versions.