diff --git a/services/cbioproxy/Dockerfile b/services/cbioproxy/Dockerfile
index d7d9513..fe6023a 100644
--- a/services/cbioproxy/Dockerfile
+++ b/services/cbioproxy/Dockerfile
@@ -1,7 +1,7 @@
 FROM ghcr.io/buschlab/cbioportal:${RELEASE:-latest} as static
 
 FROM docker.io/openresty/openresty:1.21.4.1-7-alpine-fat
-RUN apk update && apk add git ca-certificates && rm -rf /var/cache/apk/*
+RUN apk update && apk add git ca-certificates openssl && rm -rf /var/cache/apk/*
 COPY --from=static /cbioportal-webapp /usr/share/nginx/html
 RUN rm /etc/nginx/conf.d/default.conf \
     && /usr/local/openresty/luajit/bin/luarocks install lua-resty-openidc
diff --git a/services/cbioproxy/cbioportal.conf b/services/cbioproxy/cbioportal.conf
index 5c01e80..060bed3 100755
--- a/services/cbioproxy/cbioportal.conf
+++ b/services/cbioproxy/cbioportal.conf
@@ -16,7 +16,7 @@ server
     set $spring_port $http_x_forwarded_port;
   }
 
-  #lua_ssl_trusted_certificate /usr/local/share/ca-certificates/keycloak.pem;
+  #lua_ssl_trusted_certificate /keycloak.pem;
 
   location /attributes.json
   {
diff --git a/services/cbioproxy/start.sh b/services/cbioproxy/start.sh
index ed11a4a..68d3bfa 100755
--- a/services/cbioproxy/start.sh
+++ b/services/cbioproxy/start.sh
@@ -4,7 +4,7 @@ sleep 2
 
 if [ -s /keycloak.pem ]; then
     echo "Keycloak certificate chain present. Copying to ca store."
-    cp /keycloak.pem /usr/local/share/ca-certificates/keycloak.pem
+    openssl x509 -inform PEM -in /keycloak.pem -out /usr/local/share/ca-certificates/keycloak.pem
     sed 's/#lua_ssl_trusted_certificate/lua_ssl_trusted_certificate/g' /cbioportal.conf > /etc/nginx/conf.d/cbioportal.conf
     update-ca-certificates
 else