Truststore in KC 17 Quarkus for LDAPS/TLS

I’m having trouble to find the option for configuring a truststore. In the Advanced Settings of LDAP there is a tooltip that points to a file named standalone.xml/domain.xml, but this only seems to exist in the WildFly-distribution and not in the Quarkus one we use.

The goal is to import the certificate of the LDAP server to use LDAPS/TLS. If somebody could shed some light on this issue I really would appreciate.

Thank you,

You have to create the truststore file externally, copy it into the Keycloak image and configure it with these properties: Keycloak - Server - All configuration

1 Like

Yay thank you, worked!

1 Like

Hi @stefan1 @dasniko
I have a same problem but not works for me.
I define trust store and import cert in dockerfile.
Don’t know where the mistake is?

ENV KC_HTTPS_TRUST_STORE_FILE=conf/ldap-test.jks
RUN keytool -import -noprompt -trustcacerts -storepass PW1 -alias ldap-test -file ldap-test.cer -keystore conf/ldap-test.jks

Thank you

Sorry, I directly modified the conf/keycloak.conf, don’t know how it works with docker.

EDIT: doesn’t work for me either, I thought it worked at first glance, but it was only the LDAP-Connection-Test that worked. But when I try to authenticate I get this error - same as if i didn’t configure a truststore: PKIX path building failed: unable to find valid certification path to requested target

I added the following options to the conf/keycloak.conf:


and added the CA-Certificate of the LDAP-Server with this command:

keytool -importcert -v -trustcacerts -alias ucs-ca -file ucsCAcert.pem -keystore truststore.jks

I also tried to add the certificate of the LDAP-Server:

rm truststore.jks
keytool -import -alias -keystore truststore.jks -file

– same error

Ok it works with the default java keystore - for me on Ubuntu it was:

keytool -importcert -alias ucs-CA -keystore /usr/lib/jvm/default-java/lib/security/cacerts -file ucsCAcert.pem

Still wondering why it doesn’t work with a custom added truststore.

@breed @dasniko

Found the right parameter:

--spi-truststore-file-file and --spi-truststore-file-password were the parameters i was looking for

And here is described how to add host certificates to the truststore (dunno if it also works with CA-Certificates, but I think so):

@stefan1 thank you for your reply.

But not works for me still.

RUN keytool -importcert -alias ldaptest-CA -storepass PW -noprompt -file /opt/keycloak/ldap-test.cer -keystore conf/ldap-test.jks

Similar problem with using