diff --git a/roles/jellyfin/defaults/main.yml b/roles/jellyfin/defaults/main.yml
index 737e2ae..8a5cd77 100644
--- a/roles/jellyfin/defaults/main.yml
+++ b/roles/jellyfin/defaults/main.yml
@@ -6,6 +6,7 @@ jellyfin_media_dirs:
 - /srv/cifs/TV Shows
 jellyfin_server_name: jellyfin.pyrocufflink.blue
 jellyfin_server_url: https://{{ jellyfin_server_name }}
+jellyfin_ldap_ca_cert: /etc/pki/ca-trust/source/anchors/dch-root-ca-r2.crt
 
 jellyfin_ssl_certificate: >-
   {{ apache_ssl_certificate }}
diff --git a/roles/jellyfin/tasks/deploy.yml b/roles/jellyfin/tasks/deploy.yml
index 45031a3..12dff67 100644
--- a/roles/jellyfin/tasks/deploy.yml
+++ b/roles/jellyfin/tasks/deploy.yml
@@ -62,6 +62,15 @@
   - systemd
   - container
 
+- name: ensure selinux allows containers to read certificate files
+  seboolean:
+    name: container_read_certs
+    persistent: true
+    state: true
+  when: jellyfin_ldap_ca_cert|d
+  tags:
+  - selinux
+
 - name: flush handlers
   meta: flush_handlers
 
diff --git a/roles/jellyfin/templates/jellyfin.container.j2 b/roles/jellyfin/templates/jellyfin.container.j2
index eadc90e..85b0aad 100644
--- a/roles/jellyfin/templates/jellyfin.container.j2
+++ b/roles/jellyfin/templates/jellyfin.container.j2
@@ -14,6 +14,9 @@ Volume=/var/cache/jellyfin:/cache:rw,z
 {% for path in jellyfin_media_dirs %}
 Volume={{ path }}:/media/{{ path | basename }}:ro
 {% endfor %}
+{% if jellyfin_ldap_ca_cert|d %}
+Volume={{ jellyfin_ldap_ca_cert }}:/config/ldap-ca.crt:ro
+{% endif %}
 Network=host
 NoNewPrivileges=yes