Supported encrypted pem files in the TLS registry

[shawkins]

Description

When specifying pem files for https the current expectation is that keys are unencrypted. It would be good if encrypted pem were supported as well.

See keycloak/keycloak#27437

Implementation ideas

No response

[phillip-kruger]

maybe @cescoffier or @sberyozkin

[cescoffier]

That's something I have on my todo list. We never had the request (even before the TLS registry) so I always postponed it.

The workaround right now is to use p12.

[cescoffier]

Forgot to mention. The main issue is that I do not want to include bouncycastle as a mandatory runtime dependency. Thus, it makes things slightly more complicated.

Alternatively, this could be implemented as a separate (quarkiverse) extension (the TLS registry allows extension to register certificates)

[quarkus-bot]

/cc @pedroigor (bearer-token), @sberyozkin (bearer-token,jwt,security)

[cescoffier]

BTW - this enhancement would NOT be backported to the 3.15 (LTS).

[sberyozkin]

Hi @cescoffier

Makes sense to avoid the BC dependency... One thing that I'd like to ask is to have, if possible, some shared utility code in quarkus vertx http, as I'd like to support this option for the non-TLS case, OIDC Private Key JWT authentication... (this is when a JWT token is generated and then signed with the private key, as a form of the client authentication, instead of the name and password, we briefly discussed it when Michal was migrating OIDC to use TLS registry)