AM Keystore custom certificate (saml) ForgeOps


I have a running forgeops cluster and need to import an internally signed certificate into the am keystore (keystore.jceks). In a normal deployment of AM, would just do the import / alias the certificate but in a forgeops deployment, looks like the am-keystore is referenced in the SecretAgentConfiguration forgerock-sac. I created a new secret for my custom certificate in the k8s secret store and added the “importkeypair” command to my am-keystore configuration but on re-deploy of am deployment, the keystore is not being updated. Does anyone have a configuration / guide on adding custom saml cert to a forgeops deployment?

forgerock-sac config / am-keystore

# this imports the custom cert for saml signing from different secret / keystore in the environment
        - name: samlsigning
          cmd: importkeystore
          isKeyPair: true
          sourcePath: "saml-signing-cert/saml-signing"

cert / secret yaml configuration

apiVersion: v1
  ca.pem: <base64 of ca pem file>
  saml-signing.pem: <remove base64 encoded pem cert>
  saml-signing-private.pem: <removed private base64 pem>
  saml-signing-combined.pem: <removed base 64 encoded cert>
kind: Secret
  name: saml-signing-cert
  namespace: fr

Any guides / help you can give with this would be appreciated so can get this cert loaded into my keystore.


1 Like

Hi @nick.hunt,

I’m in a similar situation to yourself and trying to load a custom SAML signing certificate into a ForgeOps install.

I’ve followed your steps (which was a helpful steer on how to approach this) starting with a vanilla forgeops install; then loading the certificate into a K8S Secret; configuring the am-keystore in the SAC to source it using the SAC setting you had. At this point nothing has actually changed in terms of AM or the keystore.

I then had to delete the am-keystore secret. This triggers the secret agent to regen it with the certificate embedded. I then had to kill the AM pod for it to regenerate and pull in the new keystore. I was able to shell onto the container and run keytool -list to see that the certificate private key was imported ok.

I’ve not yet configured it to be used for SAML signing but hopefully now it’s back to normal AM setup steps for mapping keys from keystores.

Wanted to reply because your post was helpful to me and I wanted to see how you got on / if this was any use back to you.

Agree some guidance in the ForgeOps documentation on how to do this would be really helpful!


Hey Rob

I ended up going a different path which I found to be more useful / helpful given the secret agent overlay on the default am-keystore. I created a custom secret on k8s for my custom certificates / store which I load as a secret on startup of am. Then, added that as a secret in AM / mapped my certificates where needed. This way, as the default am-keystore is updated, it does not impact my custom certificate store which is maintained directly. If you want the full configuration / steps, let me know and I can post them for you so you can see the final working solution.


Hi Nick,

Thank you for the quick reply. Yes I’ve followed the route you’ve suggested; loading my own keystore and mounting into the AM container and then added at the realm level; as you say it feels better that its separate from the one ForgeOps manages. SAML messages are happily being signed now.

Again thank you for posting this it’s been very helpful.



Hi Robert, thank you for sharing your positive experience with Nick’s solution! We’re glad to hear that the approach of loading your own keystore and mounting it into the AM container worked well for you, and that your SAML messages are being signed correctly.

If you found Nick’s response helpful, we kindly encourage you to click the “Solve” button below his reply. Marking answers as solved helps other community members quickly find solutions to similar issues.

Thank you for being an active and supportive member of our community and sharing the outcome of the solution!

Warm regards,

1 Like