diff --git a/Dockerfile b/Dockerfile
index 36a271c9..6676bc8c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,7 +17,9 @@ RUN mvn clean package -DskipTests -U -B
 FROM eclipse-temurin:17-jre
 WORKDIR /app
 COPY --from=build /build/cameleer3-server-app/target/cameleer3-server-app-*.jar /app/server.jar
+COPY docker-entrypoint.sh /app/
+RUN chmod +x /app/docker-entrypoint.sh
 
 EXPOSE 8081
 ENV TZ=UTC
-ENTRYPOINT exec java -Duser.timezone=UTC -jar /app/server.jar
+ENTRYPOINT ["/app/docker-entrypoint.sh"]
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100644
index 00000000..a84e9f5f
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+set -e
+
+# Import CA certificates from /certs/ca.pem into JVM truststore if present.
+# This allows the server to trust custom CAs (e.g., Traefik self-signed in dev,
+# or an internal PKI in production) for OIDC discovery and token exchange.
+if [ -f /certs/ca.pem ]; then
+    TRUSTSTORE="$JAVA_HOME/lib/security/cacerts"
+    STOREPASS="changeit"
+    TMPDIR=$(mktemp -d)
+
+    # Split PEM bundle into individual certificates
+    awk -v dir="$TMPDIR" '
+        /-----BEGIN CERTIFICATE-----/ { n++ }
+        n > 0 { print > dir "/cert-" n ".pem" }
+    ' /certs/ca.pem
+
+    count=0
+    for cert in "$TMPDIR"/cert-*.pem; do
+        [ -f "$cert" ] || continue
+        if keytool -importcert -noprompt -trustcacerts \
+            -alias "custom-ca-$count" \
+            -file "$cert" \
+            -keystore "$TRUSTSTORE" \
+            -storepass "$STOREPASS" 2>/dev/null; then
+            count=$((count + 1))
+        fi
+    done
+
+    rm -rf "$TMPDIR"
+    [ "$count" -gt 0 ] && echo "Imported $count CA certificate(s) into JVM truststore"
+fi
+
+exec java -Duser.timezone=UTC -jar /app/server.jar