Running Keycloak with TLS (Self-signed certificate)
This post will go through how to quickly set up a self-signed TLS certificate for running an instance of Keycloak locally. Only for local development purposes.
- Keycloak(Quarkus) distribution
Generate the SSL certificate (self-signed certificate) in your preferred terminal
openssl req -newkey rsa:2048 -nodes \
-keyout keycloak-server.key.pem -x509 -days 3650 -out keycloak-server.crt.pem
It will prompt for details like
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
Common Name (eg, fully qualified host name) :
Email Address 
Keycloak (Quarkus distribution using Keycloak 19.0.1)
Using the kc shell script to launch the Keycloak server with flags to pass the server certificate & key.
./kc.sh start-dev --https-port=8081 --https-certificate-file=keycloak-server.crt.pem --https-certificate-key-file=keycloak-server.key.pem
[io.quarkus] (main) Keycloak 19.0.1 on JVM (powered by Quarkus 2.7.6.Final) started in 2.190s. Listening on: http://0.0.0.0:8080 and https://0.0.0.0:8081
I am using the Firefox browser to open the url:https://0.0.0.0:8081. It will prompt security risks due to using a self-signed certificate.
NOTE: Only for local development.
Once you accept, you can see the Keycloak admin console running on HTTPS. Clients who require a valid TLS certificate will complain about the self-signed certificate.
Well-know Configuration end-point
Using Keycloak (Self-signed certificate) will require clients to set an “insecure” flag or skip the TLS verification.
curl --insecure https://0.0.0.0:8081/realms/master/protocol/openid-connect/certs
Thank you for reading the article. If you like this post, give it a Cheer!!!
Follow the Collection: Keycloak for learning more…