Keycloak and AJP: Certificate lookup and LCR validation

Question

We have keycloak with apache acting as a reverse proxy with AJP.

With this configuration, keycloak only receives the end user client certificate (in javax.servlet.request.X509Certificate request parameter), not the complete chain.

So we developed (based on DefaultClientCertificateLookup and NginxProxySslClientCertificateLookup) a client cert lookup that obtain the client from the request and rebuild the chain with the certificates in the Keycloak truststore.

But the code from NginxProxySslClientCertificateLookup does not include the root certificate on the chain.

1. So, the first question is: should the root certificate be present on the chain? (see question 3)
2. The second question, about CRL validation, is: wouldn't it be necessary to validate all the CRL, of all certificates on the chain? We examined the code and saw that only cert[0] (the end user certificate) is validated.
3. We did some modifications on the code to validate all the certificates, of all chain, to see if some of them is revoked. But we got another issue: on the first test, we did not include the root certificate on the chain. So, the code got stuck in one infinite loop on method (while(true)) findCRLSignatureCertificateInTruststore of the class CRLUtils, because the root certificate is present on the truststore but not in the CA chain.