Hi Francis,

Thanks for your reply.

I have tried with tcp port forwarder ("stream") but my host is changed to the client's url, which directly sends me to Keycloak, which I do not want to have direct access to Keycloak, so I use proxy.

Keycloak has been configured to verify a client certificate that needs its CN to be identically with the username you enter, normally have keystore and truststore installed to check from whom it was issued and signed (which is associated with Key Management System for whether it is invalid or revoke).

I have done it and can NGINX check the client certificate (I add these things: ssl_client_certificate path-of-root-ca, and ssl_verify_client on), whether it has been issued and signed by my PKI Key Management System, but the problem is that the user can submit a certificate from one user, and in Keycloak to announce with another. I want to stop this thing, so I have a full 2FA. Keycloak is the only one to check it.

I want to ask you, can the client certificate that is attached to NGINX through the ssl_verify_client option be forwarded to Keycloak?

Best regards,
Goce Joncheski