easy RSA can help you to :
- create a dedicated private CA
- issue client certificates for authentication
- on Centos / Rocky Linux / RHEL :
sudo yum install easy-rsa
- on debian / Ubuntu :
sudo apt install easy-rsa
- on Gentoo :
sudo emerge -qavt app-crypt/easy-rsa
edit .env
to feet your needs, according to the documentation
EASYRSA_VARS_FILE=.env
easyrsa init-pki
easyrsa build-ca
cp pki/ca.crt ../trustedCAs/
this example generate a certificate for the sample user defined in config/keycloak/guacamole-realm-config/users.tf
:
EASYRSA_VARS_FILE=.env
easyrsa build-client-full --subject-alt-name="email:alice@domain.com" guacuser
easyrsa export-p12 guacuser
The p12 file is ready to be send to the user, by email for example. He will simply need to import it in his favorite web browser
The passphrase of the p12 file may be sent by another channel