How to import the FreeIPA root certificate into Keycloak

I have already written a few postings about using FreeIPA. Take How to use rootless podman with FreeIPA as an example.

For web authentication we mainly use Keycloak. In Keycloak you have the option to sync users from different LDAP providers. Therefore, it should be possible to sync the FreeIPA user to keycloak.

It is easily possible to use an unencrypted connection. But honestly, you shouldn't do that in 2025.

Since I am a big fan of running rootless containers, Keycloak also runs a rootless container.

Keycloak uses the Java TrustStore to check whether a certificate is signed by one of the entries in the store or not. FreeIPA has a certificate authority with its own root certificate. Therefore, it is not signed by an authority in the TrustStore and Keycloak will reject it.

The reason is explained in the Keycloak documentation:

When Keycloak communicates with external services or has an incoming connection through TLS, it has to validate the remote certificate in order to ensure it is connecting to a trusted server. This is necessary in order to prevent man-in-the-middle attacks.

The certificates of these clients or servers, or the CA that signed these certificates, must be put in a truststore. This truststore is then configured for use by Keycloak.

But it is possible to add the FreeIPA-Certificate to a custom truststore. As a first step it is necessary to create a custom truststore. For that we are using keytool:

keytool -importcert -file /etc/ipa/ca.crt -alias selfsigned -keystore /path/to/container/keystore.jks -storepass changeit -noprompt

After creation this TrustStore can be mounted into the container.

-v /path/to/container/keystore.jks:/etc/x509/https/keystore.jks:z

And an environment variable can point Keycloak to the path to the TrustStore with the FreeIPA-Certificate:

JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/x509/https/keystore.jks"

Conclusion

Keycloak is a powerful Identity and Access Management Tool, but it doesn't trust a custom FreeIPA root certificate out of the box. But it is possible to add the FreeIPA root certificate to the Keylcoak TrustStore and afterward it is easily possible to synchronize FreeIPA users to Keycloak.