ROOT CA -------------- Generate the CA private key: $ openssl genrsa -out ca.key 2048 Create and self sign the root certificate: $ openssl req -new -x509 -key ca.key -out ca.crt Import root CA certificate into truststore: $ keytool -import -file ca.crt -keystore ca.truststore -keypass -storepass WILDFLY ----------- Generate wildfly server key: $ openssl genrsa -out wildfly.key 2048 Generate wildfly certificate signing request: $ openssl req -new -key wildfly.key -out wildfly.csr Sign wildfly CSR using CA key to generate server certificate: $ openssl x509 -req -days 3650 -in wildfly.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out wildfly.crt Convert WildFly cert to pkcs12 format: $ openssl pkcs12 -export -in wildfly.crt -inkey wildfly.key -out wildfly.p12 -name myserverkeystore -CAfile ca.crt Convert WildFly pkcs12 file to Java keystore: $ keytool -importkeystore -deststorepass -destkeypass -destkeystore wildfly.keystore -srckeystore wildfly.p12 -srcstoretype PKCS12 -srcstorepass KEYCLOAK ------------- Generate keycloak server key: $ openssl genrsa -out keycloak.key 2048 Generate keycloak certificate signing request: $ openssl req -new -key keycloak.key -out keycloak.csr Sign keycloak CSR using CA key to generate server certificate: $ openssl x509 -req -days 3650 -in keycloak.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out keycloak.crt Convert Keycloak cert to pkcs12 format: $ openssl pkcs12 -export -in keycloak.crt -inkey keycloak.key -out keycloak.p12 -name myserverkeystore -CAfile ca.crt Convert Keycloak pkcs12 file to Java keystore: $ keytool -importkeystore -deststorepass -destkeypass -destkeystore keycloak.keystore -srckeystore keycloak.p12 -srcstoretype PKCS12 -srcstorepass CLIENT (browser) ------------------ Generate client server key: $ openssl genrsa -out client.key 2048 Generate client certificate signing request: $ openssl req -new -key client.key -out client.csr Sign client CSR using CA key to generate server certificate: $ openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt Export client certificate to pkcs12 format: $ openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -out clientCert.p12 FINAL STEPS ------------ 1. Import clientCert.p12 into browser 2. Paste wildfly.keystore and ca.truststore into WILDFLY_HOME\standalone\configuration 3. Paste keycloak.keystore and ca.truststore into KEYCLOAK_HOME\standalone\configuration 4. Paste the following inside security-realms in WILDFLY_HOME\standalone\configuration\standalone.xml: 5. Paste the following inside security-realms in KEYCLOAK_HOME\standalone\configuration\standalone.xml: 6. Replace https-listener with the following in WildFly's and Keycloak's standalone.xml: 7. Add the following properties to your app's keycloak.json: ... "truststore": "C:\your\truststore\path\ca.truststore", "truststore-password": "", ...