Import LDAP certificate into keycloak running on kubernetes

Hello, i’m trying to configure my ldap server under with secure connection for user federation. Test connectivity passes but test authentication fails.
The keycloak is running as a pod in kubernetes using default public docker image.

In server logs, I see that certificate is not recognized because certificate is not CA(known) signed. It is a self-signed certificate. Would love to have some suggestion to solve this issue in kubernetes without having to include certificates as part of docker image.

Is there a way to handle via init container or secrets? Or any recommended approach is appreciated

Kindly suggest

Hello, I’m also had confusion with this topic.

Our LDAP Server also has a self-sign certificate, signed by the IT with a internal CA. To add the CA, I created a cacert-store file with keytool and added it in Keycloak with required parameter at server start (Configure a Truststore).
What I didn’t know at first, these parameters overwrite the default used cacert-store, which in my case leads to an untrusted smtp server error, but that one is signed by a well-known provider.

To work around that, I created my own Container and added the CA in the global PKI store (for keycloak:19.0.2 add ca in /usr/share/pki/ca-trust-source/anchors/ and exec update-ca-cert)

So I’m also interested in a simple and recommended approach to just add CAs to the default cacert-store used by keycloak


Hey all, I noticed this never got a clear answer, and I recently had to do this too.

Referencing All provider configuration - Keycloak and keycloak/docs/documentation/release_notes/topics/24_0_0.adoc at main · keycloak/keycloak · GitHub I did the following:

Create a new keystore with the LDAPS certificate chain:

keytool -import -keystore ldaps.jks -file ldaps-chain.pem

Add a Kubernetes secret ldaps-keystore for example, containing that keystore, then in your deployment add a volume and volumeMount

    - name: ldaps-keystore
        secretName: <secret-name>
        defaultMode: 420

--- <volumeMount> ---

  - name: ldaps-keystore
    readOnly: true
    mountPath: /mnt/truststore

then add the correct env variables:

    value: /mnt/truststore/ldaps.jks
    value: <keystore password> (you can make this a secretRef, for clarity I'm just doing this)

This will then make the keystore contents available to your Keycloak instance in Kubernetes.

If you’re using the operator, then you’ll want to reference keycloak/docs/documentation/release_notes/topics/24_0_0.adoc at main · keycloak/keycloak · GitHub