diff --git a/app/compose b/app/compose
index 2919c67..79e2af8 100644
--- a/app/compose
+++ b/app/compose
@@ -24,6 +24,7 @@ with open(pwdfile, 'r') as fd:
       X509_CA_BUNDLE: "/ca-certificates.crt"
     volumes:
       - /etc/ssl/certs/ca-certificates.crt:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
+      - /etc/univention/ssl/ucsCA/CAcert.pem:/etc/pki/ca-trust/extracted/pem/ucsCAcert.pem:ro
       - /var/lib/univention-appcenter/apps/keycloak/conf/UCS:/opt/keycloak/themes/UCS
       #- /var/lib/univention-appcenter/apps/keycloak/data/development:/opt/jboss/keycloak/standalone/deployments/
     ports:
diff --git a/app/inst b/app/inst
index 9b1dadf..8d603e4 100644
--- a/app/inst
+++ b/app/inst
@@ -136,6 +136,9 @@ do
 
 done
 
+# add UCS rootCA to trusted CA certificates
+univention-app shell keycloak keytool -cacerts -import -alias ucsCA -file /etc/pki/ca-trust/extracted/pem/ucsCAcert.pem -storepass "changeit" -noprompt
+
 # another restart for the cache initialization
 univention-app restart keycloak
 
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 95a7acf..eecbab4 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -288,6 +288,32 @@ federation* is useful when administrators want to keep track of all users in
 
    For more information on |SPI|, see :cite:t:`keycloak-spi`.
 
+.. _ad-hoc-federation-import-external-ca:
+
+Import external CA certificates
+-------------------------------
+
+Federation involves other, for example external, server systems and requires
+trust. Certificates are a way to implement trust. To tell your Keycloak
+system to trust another system for the ad-hoc federation, you need to
+import the CA certificate for that system. Keycloak needs the CA certificate
+to verify the encrypted connection with the other system.
+
+Use the following steps to add the CA certificate of the other system:
+
+.. code-block:: console
+
+   $ docker cp /path/to/externalCA.pem keycloak:/externalCA.pem
+   $ univention-app shell keycloak \
+   keytool -cacerts -import -alias ucsCA -file /externalCA.pem -storepass "changeit" -noprompt
+
+Repeat this procedure when any CA certificate expires. In case of any CA related
+TLS error, restart the container:
+
+.. code-block:: console
+
+  $ docker restart keycloak
+
 .. _ad-hoc-federation-custom-auth-flow:
 
 Create custom authentication flow