It seems that only supported SASL mechanism in Elytron which is able to work with key/certificate is EXTERNAL mechanism. However this mechanism takes this information from SSL connection which means that credentials defined in configuration.authentication-client.authentication-configurations.configuration.credentials.key-store-reference or configuration.authentication-client.authentication-configurations.configuration.credentials.certificate from Elytron client configuration file are not used in this case.

Is there any Elytron supported SASL mechanism which is currently able to work with these credentials? In this case please provide configuration and SASL mechanism which is able to work with key-store-reference and certificate credentials.

Otherwise these key-store-reference and certificate should be removed from Elytron client configuration because they currently cannot be used by users (or tested by QA). They can be added to configuration again once Elytron will support mechanism which is able to work with key/certificate as credentials. This is basically the similar issue as JBEAP-11720.