LDAPS is used to secure your LDAP connection. Refer to the Keycloak documentation on LDAP for more information.

Keycloak uses the default location within the container:


Copy in your certificate authority (CA):

docker ps|grep cloak
docker cp <CA.pem> <container_ID>:/opt/jboss

Drop into the container:

docker exec -u root -it <container_ID> /bin/bash

Add the keystore:

cd /opt/jboss/keycloak/standalone/configuration/keystores
keytool -keystore truststore -storepass anaconda -noprompt -trustcacerts -importcert -alias ldap-ca -file /opt/jboss/<CA.pem>

Add the following to the CA certs bundle:

cp /opt/jboss/<CA.pem> /etc/pki/ca-trust/source/anchors/

This will update the CA certs bundle found in the following file path:


Restart the container:

docker ps|grep cloak
docker restart <container_ID>


If you have any issues, verify the CA against the LDAPS server:

openssl s_client -CAfile <CA.pem> -connect ldapserver.com:636

This should return the following string:

Verify return code: 0 (ok)

You can inspect the keystore you created with the following command:

keytool -list -v -keystore /opt/jboss/keycloak/standalone/configuration/keystores/truststore -storepass anaconda