Google as Identity Provider - dcm4che/dcm4chee-arc-light GitHub Wiki

Configurations in Keycloak and Google

Google's certificate CA in JDK Truststore

  • Download the PEM certificate from View Page Info -> Security -> View Certificate -> Global Sign from Google's website.

  • JDK 11 onwards, Google Trust Services GlobalSign is part of the default set of root Certification Authority (CA) certificates. Verify the CA is available in JDK truststore.

    keytool -list -v -keystore /usr/lib/jvm/java-13-oracle/lib/security/cacerts
    
    Alias name: debian:globalsign_ecc_root_ca_-_r4.pem
    Creation date: May 14, 2019
    Entry type: trustedCertEntry
    
    Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
    Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
    Serial number: 2a38a41c960a04de42b228a50be8349802
    Valid from: Tue Nov 13 01:00:00 CET 2012 until: Tue Jan 19 04:14:07 CET 2038
    Certificate fingerprints:
    	 SHA1: 69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB
    	 SHA256: BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C
    Signature algorithm name: SHA256withECDSA
    Subject Public Key Algorithm: 256-bit EC (secp256r1) key
    Version: 3
    
    Extensions: 
    
    #1: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]
    
    #2: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
      Key_CertSign
      Crl_Sign
    ]
    
    #3: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 54 B0 7B AD 45 B8 E2 40   7F FB 0A 6E FB BE 33 C9  [email protected].
    0010: 3C A3 84 D5                                        <...
    ]
    ]
    
  • If this is not available or one has an older JDK version, add Google's CA in the JDK truststore

    sudo -i
    cat /Downloads/www-google-com.pem >> /usr/lib/jvm/<JDKOlderThan11>/lib/security/cacerts
    exit
    
⚠️ **GitHub.com Fallback** ⚠️