Red Hat build of Keycloak (RHBK) Certificate Revocation List (CRL) Hardening for CRL Expiration

Solution In Progress - Updated -

Issue

Currently, Red Hat build of Keycloak does Certificate Revocation List (CRL) checking either locally or remotely and will fail x509 authentication if the CRL is not reachable. Though it will check the CRL for validity with a signature check, it does not do a comparison of the current time against the nextUpdate time in the CRL to check if the CRL is date valid.

Environment

  • Red Hat build of Keycloak (RHBK)
    • 22.X
    • 24.X
    • 26.X

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content