LDAPS is used to secure your LDAP connection. Refer to the Keycloak documentation on LDAP for more information. Keycloak uses the default location within the container: 
/opt/jboss/keycloak/standalone/configuration/keystores=
Copy in your certificate authority (CA): 
# Replace <CA.pem> with your certificate authority.
# Replace <container_ID> with your container ID.
docker ps|grep cloak
docker cp <CA.pem> <container_ID>:/opt/jboss
Drop into the container: 
# Replace <container_ID> with your container ID.
docker exec -u root -it <container_ID> /bin/bash
Add the keystore: 
# Replace <CA.pem> with your certificate authority.
cd /opt/jboss/keycloak/standalone/configuration/keystores
keytool -keystore truststore -storepass anaconda -noprompt -trustcacerts -importcert -alias ldap-ca -file /opt/jboss/<CA.pem>
Add the following to the CA certs bundle: 
# Replace <CA.pem> with your certificate authority.
cp /opt/jboss/<CA.pem> /etc/pki/ca-trust/source/anchors/
update-ca-trust
This will update the CA certs bundle found in the following file path: 
/etc/pki/ca-trust/extracted/java
Restart the container: 
# Replace <container_ID> with your container ID.
docker ps|grep cloak
docker restart <container_ID>

Troubleshooting

If you have any issues, verify the CA against the LDAPS server: 
# Replace <CA.pem> with your certificate authority.
openssl s_client -CAfile <CA.pem> -connect ldapserver.com:636
This should return the following string: 
Verify return code: 0 (ok)
You can inspect the keystore you created with the following command: 
keytool -list -v -keystore /opt/jboss/keycloak/standalone/configuration/keystores/truststore -storepass anaconda