Replies: 2 comments 4 replies
-
|
It does make life simpler for developers perhaps, but I question if it really is all that useful at all. Using a generated self-signed cert results in a cert that is not trusted by anyone, hence it most likely results in just accepting warnings, disabling checks, etc.. Resulting in the risk of going to production with clients that have disabled https checks. For those that really want to use https in development it really isn't all that difficult to generate a self-signed cert, which then let's you reuse the same cert for a while for development purposes, that you can import into a truststore for clients to use during development. Honestly, this really seems simpler than having Keycloak "randomly" generating certs. In addition I wonder how we would generate the cert? I'd be slightly more open to something like "kc.sh tools generate-self-signed-cert", which would store in the known location and automatically used. |
Beta Was this translation helpful? Give feedback.
-
|
I also like the idea of a But still not 100% sure if we should provide this, or alternatively a specific dev guide which shows how to generate one as part of the dev workflow instead. There are tons of docs on how to do it, and it is really not that hard, but adds some maintenance cost. tl;dr: not sure. |
Beta Was this translation helpful? Give feedback.
-
|
We already have code that uses bouncycastle to generate self-signed certs, so actually should be relatively trivial to generate the cert with pretty much code we already have. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, we should be able to create one with the code we have. But I was more concerned about avoiding any additional step but just run For instance, to deploy a dev/testing instance to k8s we would need to define multiple commands to the container + the necessary options to enable TLS. Instead of just running Any reason why we don't want to generate at startup when in dev mode? This option should not be available to the |
Beta Was this translation helpful? Give feedback.
-
|
Generating certs at startup seems a broken concept in my head. It won't be trusted by the browser or any clients. What happens next is folks start ignoring the warning, and disabling cert checks in their clients, which to be honest is worse than just using proxy=edge, or even just using http in dev scenarios. I'd say this is something we should really look for community feedback/requests on prior to adding? |
Beta Was this translation helpful? Give feedback.
-
|
Nice idea to have self-signed certificates generated in dev mode only |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
By default, Keycloak does not allow starting the server without providing the key material to enable TLS.
While this design principle makes sense when running in production mode, we should make life easier when it is desired to enable TLS in development mode. Even in development mode, you might want to enable TLS to dev/test specific scenarios or even to showcase (not deploy) how to run in production without going through additional steps.
With that in mind, the proposal is to allow configuring TLS when in development mode as follows:
The
https-certificate-auto-generatedoption would only be available to thestart-devcommand and disabled by default.Beta Was this translation helpful? Give feedback.
All reactions