Deploying to main from @ 9e764b5f96cf864ddac69c3c09d4a9bc8eea4770 🚀

ahus1 · ahus1 · commit e89d121bbca0 · 2026-05-27T06:35:34.000Z
diff --git a/extensions.html b/extensions.html
@@ -272,7 +272,7 @@ <h5 class="card-title">Crossplane provider for Keycloak</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span data-nosnippet>60 stars</span>
+                                        <span data-nosnippet>61 stars</span>
                                     </div>
                                 </div>
                         </div>
@@ -306,7 +306,7 @@ <h5 class="card-title">Event Listener Utilities</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span data-nosnippet>298 stars</span>
+                                        <span data-nosnippet>300 stars</span>
                                     </div>
                                 </div>
                         </div>
@@ -408,7 +408,7 @@ <h5 class="card-title">Keycloak Helm Chart HelmForge</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span data-nosnippet>21 stars</span>
+                                        <span data-nosnippet>22 stars</span>
                                     </div>
                                 </div>
                         </div>
@@ -768,7 +768,7 @@ <h5 class="card-title">Restrict Client Auth</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span data-nosnippet>424 stars</span>
+                                        <span data-nosnippet>426 stars</span>
                                     </div>
                                 </div>
                         </div>
diff --git a/nightly/server/haproxy-reencrypt.html b/nightly/server/haproxy-reencrypt.html
@@ -158,6 +158,10 @@ <h2 id="haproxy-configuration-reencrypt"><a class="anchor" href="#haproxy-config
     http-request del-header uber-trace-id
     http-request del-header x-ot-span-context
 
+    # Optional. Forward client identities so that client certificate lookups work as expected
+    http-request set-header Client-Cert %[ssl_c_der,base64] if { ssl_c_used } { ssl_c_verify 0 }
+    http-request set-header Client-Cert-Chain %[ssl_c_chain_der,base64] if { ssl_c_used } { ssl_c_verify 0 }
+
     # Public paths. Revisit the reverse proxy guide for the latest guidance. <i class="conum" data-value="4"></i><b>(4)</b>
     # With these settings, the redirect to the welcome screen or Admin UI will not work from external IP addresses, and this is expected.
     acl is_public_path path_beg /realms/
@@ -315,6 +319,24 @@ <h2 id="keycloak-configuration-haproxy-reencrypt"><a class="anchor" href="#keycl
 </dd>
 </dl>
 </div>
+<div class="sect2">
+<h3 id="_enabling_client_certificate_lookups"><a class="anchor" href="#_enabling_client_certificate_lookups"></a>Enabling client certificate lookups</h3>
+<div class="paragraph">
+<p>To enable the client certificate lookups, the following CLI options are required when starting Keycloak:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre class="highlight"><code class="language-bash" data-lang="bash">bin/kc.[sh|bat] start --spi-x509cert-lookup--provider=haproxy --spi-x509cert-lookup--haproxy--ssl-client-cert=Client-Cert --spi-x509cert-lookup--haproxy--ssl-cert-chain=Client-Cert-Chain --spi-x509cert-lookup--haproxy--certificate-chain-length=2</code></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>If the number of intermediate certificates in your certificate chain is longer than the default, you must set the
+<code>certificate-chain-length</code> option to an appropriate value. Otherwise, the provider will discard the request.</p>
+</div>
+<div class="paragraph">
+<p>See <a href="https://www.keycloak.org/nightly/server/reverseproxy">Configuring a reverse proxy</a> for more details.</p>
+</div>
+</div>
 </div>
 </div>
 <div class="sect1">
diff --git a/nightly/server/reverseproxy.html b/nightly/server/reverseproxy.html
@@ -866,7 +866,13 @@ <h3 id="_enabling_client_certificate_lookup"><a class="anchor" href="#_enabling_
 <td class="tableblock halign-left valign-top"><p class="tableblock">The prefix of the headers holding additional certificates in the chain and used to retrieve individual
 certificates according to the length of the chain. For instance, a value <code>CERT_CHAIN</code> will tell the server
 to load additional certificates from headers <code>CERT_CHAIN_0</code> to <code>CERT_CHAIN_9</code> if <code>certificate-chain-length</code> is set to <code>10</code>.</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock"><code>apache</code>, <code>haproxy</code>, <code>nginx</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>apache</code>, <code>nginx</code></p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">ssl-cert-chain</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The name of the header holding the full certificate chain as a single value.
+All chain certificates are contained in one header rather than split across indexed headers.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>haproxy</code>, <code>rfc9440</code></p></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">certificate-chain-length</p></td>
@@ -876,6 +882,68 @@ <h3 id="_enabling_client_certificate_lookup"><a class="anchor" href="#_enabling_
 </tbody>
 </table>
 <div class="sect3">
+<h4 id="_configuring_the_haproxy_provider"><a class="anchor" href="#_configuring_the_haproxy_provider"></a>Configuring the HAProxy provider</h4>
+<div class="paragraph">
+<p>HAProxy can forward client certificates as base64-encoded DER using its <code>ssl_c_der,base64</code> and <code>ssl_c_chain_der,base64</code> sample fetches.
+The <code>haproxy</code> provider reads the client certificate from the <code>ssl-client-cert</code> header and the certificate chain from the <code>ssl-cert-chain</code> header.</p>
+</div>
+<div class="paragraph">
+<p>The options and defaults specific to <code>haproxy</code> are as follows:</p>
+</div>
+<table class="tableblock frame-all grid-all fit-content">
+<colgroup>
+<col>
+<col>
+<col>
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">Option</th>
+<th class="tableblock halign-left valign-top">Description</th>
+<th class="tableblock halign-left valign-top">Default</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">ssl-client-cert</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The name of the header holding the client certificate.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">(none)</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">ssl-cert-chain</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The name of the header holding the full certificate chain as a single base64-encoded DER value. HAProxy&#8217;s <code>ssl_c_chain_der,base64</code> produces the concatenated DER encoding of all CA certificates in one value.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">(none)</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">certificate-chain-length</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The maximum number of certificates to load from the chain header.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">1</p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>Example HAProxy configuration:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre class="highlight"><code>http-request set-header Client-Cert %[ssl_c_der,base64] if { ssl_c_used } { ssl_c_verify 0 }
+http-request set-header Client-Cert-Chain %[ssl_c_chain_der,base64] if { ssl_c_used } { ssl_c_verify 0 }</code></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>Corresponding Keycloak configuration:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre class="highlight"><code class="language-bash" data-lang="bash">bin/kc.[sh|bat] start --spi-x509cert-lookup--provider=haproxy --spi-x509cert-lookup--haproxy--ssl-client-cert=Client-Cert --spi-x509cert-lookup--haproxy--ssl-cert-chain=Client-Cert-Chain --spi-x509cert-lookup--haproxy--certificate-chain-length=2</code></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>If the number of intermediate certificates in your certificate chain is longer than the default, you must set the
+<code>certificate-chain-length</code> option to an appropriate value. Otherwise, the provider will discard the request.</p>
+</div>
+</div>
+<div class="sect3">
 <h4 id="_configuring_the_nginx_provider"><a class="anchor" href="#_configuring_the_nginx_provider"></a>Configuring the NGINX provider</h4>
 <div class="paragraph">
 <p>The NGINX SSL/TLS module does not expose the client certificate chain. Keycloak&#8217;s NGINX certificate lookup provider rebuilds it by using the Keycloak truststore.</p>
@@ -945,8 +1013,8 @@ <h4 id="_configuring_the_rfc9440_provider"><a class="anchor" href="#_configuring
 </tbody>
 </table>
 <div class="paragraph">
-<p>If your certificate chain is longer than the default, you must set the <code>certificate-chain-length</code> option to an appropriate value.
-Otherwise, the provider will discard the request.</p>
+<p>If the number of intermediate certificates in your certificate chain is longer than the default, you must set the
+<code>certificate-chain-length</code> option to an appropriate value. Otherwise, the provider will discard the request.</p>
 </div>
 </div>
 <div class="sect3">
diff --git a/nightly/ui-customization/quick-theme.html b/nightly/ui-customization/quick-theme.html
@@ -223,7 +223,7 @@ <h3 id="_trying_out_your_new_theme"><a class="anchor" href="#_trying_out_your_ne
 <p>Your theme includes the images and colors you provided. They appear throughout the Account Console, Admin Console, and login page.</p>
 </div>
 <div class="paragraph">
-<p>Once your "Quick Theme" archive jar is deployed, you can fully test it using the procedures shown in the <a href="#themes">Themes chapter</a>.  Essentially, you just need to choose your new theme on the Realm settings -&#8594; Themes tab.</p>
+<p>Once your "Quick Theme" archive jar is deployed, you can fully test it using the procedures shown in the <a href="https://www.keycloak.org/nightly/ui-customization/themes">Working with themes</a> guide. Essentially, you just need to choose your new theme on the Realm settings &#8594; Themes tab.</p>
 </div>
 </div>
 </div>
diff --git a/nightly/ui-customization/themes-react.html b/nightly/ui-customization/themes-react.html
@@ -185,7 +185,7 @@ <h2 id="_translating_the_pages"><a class="anchor" href="#_translating_the_pages"
 <h2 id="_using_the_pages"><a class="anchor" href="#_using_the_pages"></a>Using the pages</h2>
 <div class="sectionbody">
 <div class="paragraph">
-<p>To see how to further integrate the pages, we recommend that you take a look at the output of the tool in the <a href="#creating-your-own-console">Creating your own Console</a> chapter.</p>
+<p>To see how to further integrate the pages, we recommend that you take a look at the output of the tool in the <a href="https://www.keycloak.org/nightly/ui-customization/creating-your-own-console">Creating your own Console</a> guide.</p>
 </div>
 </div>
 </div>            </div>
diff --git a/nightly/ui-customization/welcome-theme.html b/nightly/ui-customization/welcome-theme.html
@@ -109,7 +109,7 @@ <h1>Customizing the Welcome Theme</h1>
 <p>Since the welcome theme is not associated with a realm, it cannot be selected in the admin console like other themes.</p>
 </div>
 <div class="paragraph">
-<p>To change the welcome theme, create and deploy a new welcome theme as described in <a href="#_creating-a-theme">Creating a theme</a>.  Then, start the Keycloak server using the <code>spi-theme&#8212;&#8203;welcome-theme</code> option.</p>
+<p>To change the welcome theme, create and deploy a new welcome theme as described in <a href="https://www.keycloak.org/nightly/ui-customization/themes#_creating-a-theme">Working with themes</a>. Then, start the Keycloak server using the <code>spi-theme&#8212;&#8203;welcome-theme</code> option.</p>
 </div>
 <div class="listingblock">
 <div class="content">
diff --git a/translations.html b/translations.html
@@ -896,7 +896,7 @@ <h1>Translations</h1>
         </tbody>
     </table>
 
-    <p  data-nosnippet>(Statistics updated daily. Last update: 2026-05-26T06:24:58Z)</p>
+    <p  data-nosnippet>(Statistics updated daily. Last update: 2026-05-27T06:32:28Z)</p>
 
 </div>
 
