When Keycloak CR is created a sso-x509-https-secret is created with a generated certificate for the created service. The problem is, that the certificate is generated only once, and is not regenerated when the URL changes. In the beginning, the certificate is generated for some internal URL, for example, keycloak.keycloak.svc. Then when a route is created, the certificate is invalid. I enclosed a screenshot.