Update Feb 2022:
Keycloak 17+ (e.g. quay.io/keycloak/keycloak:17.0.0) doesn’t support autogeneration of selfsigned cert. Minimal HTTPS working example for Keycloak 17+:
1.) Generate selfsigned domain cert/key (follow instructions on your terminal):
openssl req -newkey rsa:2048 -nodes \
-keyout server.key.pem -x509 -days 3650 -out server.crt.pem
2.) Update permissions for the key
chmod 755 server.key.pem
3.) Start Keycloak (use volumes for cert/key):
docker run \
--name keycloak \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=password \
-e KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/server.crt.pem \
-e KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/server.key.pem \
-v $PWD/server.crt.pem:/opt/keycloak/conf/server.crt.pem \
-v $PWD/server.key.pem:/opt/keycloak/conf/server.key.pem \
-p 8443:8443 \
quay.io/keycloak/keycloak:17.0.0 \
start-dev
Keycloak will be exposed on port 8443 with HTTPS protocol with this setup. If you use also proxy (e.g. nginx) you will need to configure also env variable KC_PROXY properly (e.g. KC_PROXY=edge). Of course you can use also keycloak.conf file instead of env variables.
Old answer for Keycloak up to 16.1.1 and Keycloak legacy 17+:
Publish port 8443 (HTTPS) and use it instead of 8080 (HTTP):
docker run \
--name keycloak \
-e KEYCLOAK_USER=myadmin \
-e KEYCLOAK_PASSWORD=mypassword \
-p 8443:8443 \
jboss/keycloak
Keycloak generates self signed cert for https in this setup. Of course, this is not a production setup.
Update
Use volumes for own TLS certificate:
-v /<path>/tls.crt:/etc/x509/https/tls.crt \
-v /<path>/tls.key:/etc/x509/https/tls.key \