Description

Encrypting all network traffic is important for a secure deployment. However, this is cumbersome and the complexity involved often results in it not being secured properly or not at all.

The main goal is to provide an automatic way to encrypt the traffic, without user configuration. Certificates and keys will be generated and managed by the Keycloak server.

Acceptance Criteria

• Auto-generate the necessary keys and certificates.
• Rotate keys/certificates periodically.

Other details

• Have a table with a single self-signed certificate
• Only TCP supported as a protocol for this kind of encryption. TCP NIO is out-of-scope
• The coordinator is responsible for rotating the certificate.
  It sends out a notification to other nodes on successful rotation in the database via the Work cache
• New CLI option --cache-embedded-mtls-key-rotation-interval.
  Default 30 days, unit of parameter: days
  The Certificate will be valid rotation interval *2 (60 days default)
• Do a performance test/comparison for single-site

only when people ask for it, out of scope

• Rotate the certificate on demand with a REST endpoint
• Support hot-reload of certificates provided as a file -> independent follow-up PR

Individual key pairs for each node is out of scope as we don't see the added value today: Hot reloading is possible even without that.