Published in


Running Keycloak with TLS (Self-signed certificate)

This post will go through how to quickly set up a self-signed TLS certificate for running an instance of Keycloak locally. Only for local development purposes.

  • Openssl
  • Keycloak(Quarkus) distribution
openssl req -newkey rsa:2048 -nodes \
-keyout keycloak-server.key.pem -x509 -days 3650 -out keycloak-server.crt.pem

It will prompt for details like

Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []

Using the kc shell script to launch the Keycloak server with flags to pass the server certificate & key.

./ start-dev --https-port=8081 --https-certificate-file=keycloak-server.crt.pem --https-certificate-key-file=keycloak-server.key.pem
Keycloak (TLS)
[io.quarkus] (main) Keycloak 19.0.1 on JVM (powered by Quarkus 2.7.6.Final) started in 2.190s. Listening on: and

I am using the Firefox browser to open the url: It will prompt security risks due to using a self-signed certificate.

NOTE: Only for local development.

Warning Potential Security Risk Ahead

Once you accept, you can see the Keycloak admin console running on HTTPS. Clients who require a valid TLS certificate will complain about the self-signed certificate.

Keycloak Admin Console
well-known openid-configuration

Using Keycloak (Self-signed certificate) will require clients to set an “insecure” flag or skip the TLS verification.

curl --insecure

Thank you for reading the article. If you like this post, give it a Cheer!!!

Follow the Collection: Keycloak for learning more…



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store