Launching keycloak server with SSL

Here’s how I set up keycloak server with SSL certification by Let’s Encrypt.


  • Launch EC2 instance
  • Install OpenJDK
  • Follow Keycloak Getting Started tutorial.
  • Create first admin user by command line tool, explained here.
  • Make sure EC2 can accept 8080 port from your IP address
  • Open browser and access http://your.ec2.ip.address/auth for keycloak admin screen.

SSL by Let’s Encrypt

Prepare new domain and config in DNS setting.

We use nginx to make certificates for your-domain-name.

Install nginx and configure its server name to your domain of choice. (/etc/nginx/nginx.conf)

Make sure you can access http://your-domain-name from your browser.

Install certbot. EC2 Amazon Linux 2 didn’t offer snapd, so I installed certbot with yum:

sudo amazon-linux-extras install epel
sudo yum install certbot
sudo yum install certbot-nginx

Create Let’s Encrypt certificates. .pem files are created in /etc/letsencrypt/archive/your-domain-name/ and symlinks are made in /etc/letsencrypt/live/your-domain-name/

Use Let’s Encrypt certificate for keycloak. Convert the certificates to pkcs12 keystore and specify it for use in Keycloak config:

Start keycloak server and see if https://your-domain-name:8443/auth is accessible.

Then forbid 8080 port on AWS security rule to force SSL only.

Run as daemon