Using OpenSSL to Manage TLS Certificates in Keycloak
A single misconfigured certificate can break your Keycloak deployment. Openssl is the tool that keeps your realm secure and your connections trusted. When you need to generate, inspect, or convert certificates for Keycloak, Openssl is the fastest path with the most control.
Keycloak supports TLS for securing communication between clients, admin consoles, and identity provider endpoints. To enable TLS, you need a keystore with a valid private key and certificate chain. Openssl lets you create these artifacts with precision.
Generate a private key and certificate
openssl genrsa -out keycloak.key 2048
openssl req -new -key keycloak.key -out keycloak.csr
openssl x509 -req -in keycloak.csr -signkey keycloak.key -out keycloak.crt -days 365
This creates a 2048-bit RSA key, a CSR, and a self-signed certificate. Replace -signkey with your CA-signed certificate to avoid browser warnings.
Convert to PKCS12 format for Keycloak
Keycloak often uses .p12 or .jks formats for keystores. Openssl can convert your PEM files:
openssl pkcs12 -export \
-in keycloak.crt \
-inkey keycloak.key \
-out keycloak.p12 \
-name keycloak \
-CAfile ca.crt \
-caname root
Import keycloak.p12 into a Java keystore with keytool if needed.
Verify your certificate and key
Always confirm your TLS files match before wiring them into Keycloak.
openssl x509 -noout -modulus -in keycloak.crt | openssl md5
openssl rsa -noout -modulus -in keycloak.key | openssl md5
The hash outputs must be identical. If not, you will see SSL handshake failures.
Common tasks
- Renew expiring certs before downtime
- Inspect endpoints with
openssl s_client -connect host:8443 - Check certificate chain validity with
openssl verify -CAfile
Openssl with Keycloak is a direct, scriptable way to ensure your identity infrastructure meets strict security standards. No GUI clicking, no ambiguity—just the right files, in the right place.
See this in action and get a live Keycloak environment ready in minutes at hoop.dev.