Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 10. Configuring trusted certificates for outgoing requests


When Red Hat build of Keycloak communicates with external services through TLS, it has to validate the remote server’s certificate in order to ensure it is connecting to a trusted server. This is necessary in order to prevent man-in-the-middle attacks. The certificates of these remote server’s or the CA that signed these certificates must be put in a truststore. This truststore is managed by the Keycloak server.

The truststore is used when connecting securely to identity brokers, LDAP identity providers, when sending emails, and for backchannel communication with client applications. It is also useful when you want to change the policy on how host names are verified and trusted by the server.

By default, a truststore provider is not configured, and any TLS/HTTPS connections fall back to standard Java Truststore configuration. If there is no trust established, then these outgoing requests will fail.

10.1. Configuring the Red Hat build of Keycloak Truststore

You can add your truststore configuration by entering this command:

bin/kc.[sh|bat] start --spi-truststore-file-file=myTrustStore.jks --spi-truststore-file-password=password --spi-truststore-file-hostname-verification-policy=ANY
Copy to Clipboard Toggle word wrap

The following are possible configuration options for this setting:

file
The path to a Java keystore file. TLS requests need a way to verify the host of the server to which they are talking. This is what the truststore does. The keystore contains one or more trusted host certificates or certificate authorities. This truststore file should only contain public certificates of your secured hosts. This is REQUIRED if any of these properties are defined.
password
Password of the keystore. This option is REQUIRED if any of these properties are defined.
hostname-verification-policy

For HTTPS requests, this option verifies the hostname of the server’s certificate. Default: WILDCARD

  • ANY means that the hostname is not verified.
  • WILDCARD allows wildcards in subdomain names, such as *.foo.com.
  • When using STRICT, the Common Name (CN) must match the hostname exactly.

    Please note that this setting does not apply to LDAP secure connections, which require strict hostname checking.

type
The type of truststore, such as jks, pkcs12 or bcfks. If not provided, the type would be detected based on the truststore file extension or platform default type.

10.1.1. Example of a truststore configuration

The following is an example configuration for a truststore that allows you to create trustful connections to all mycompany.org domains and its subdomains:

bin/kc.[sh|bat] start --spi-truststore-file-file=path/to/truststore.jks --spi-truststore-file-password=change_me --spi-truststore-file-hostname-verification-policy=WILDCARD
Copy to Clipboard Toggle word wrap
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat