diff --git a/contrib/redhat/gitbucket.conf b/contrib/redhat/gitbucket.conf
index 1b60b32..c3959f3 100644
--- a/contrib/redhat/gitbucket.conf
+++ b/contrib/redhat/gitbucket.conf
@@ -16,8 +16,5 @@
 # URL prefix for the GitBucket page (http://<host>:<port>/<prefix>/)
 #GITBUCKET_PREFIX=
 
-# Java keystore (for LDAP StartTLS)
-#GITBUCKET_KEYSTORE=/var/lib/gitbucket/keystore
-
 # Other Java option
 #GITBUCKET_JVM_OPTS=
diff --git a/contrib/redhat/gitbucket.init b/contrib/redhat/gitbucket.init
index 75f7525..3aed802 100644
--- a/contrib/redhat/gitbucket.init
+++ b/contrib/redhat/gitbucket.init
@@ -14,7 +14,6 @@
 # Default values
 GITBUCKET_HOME=/var/lib/gitbucket
 GITBUCKET_WAR_FILE=/usr/share/gitbucket/lib/gitbucket.war
-GITBUCKET_KEYSTORE=/var/lib/gitbucket/keystore
 
 # Pull in cq settings
 [ -f /etc/sysconfig/gitbucket ] && . /etc/sysconfig/gitbucket
@@ -30,8 +29,6 @@
 start() {
 	echo -n $"Starting GitBucket server: "
 
-	GITBUCKET_JVM_OPTS="${GITBUCKET_JVM_OPTS} -Djavax.net.ssl.trustStore=${GITBUCKET_KEYSTORE}"
-
 	# Compile statup parameters
 	if [ $GITBUCKET_PORT ]; then
 		START_OPTS="${START_OPTS} --port=${GITBUCKET_PORT}"
diff --git a/src/main/scala/app/SystemSettingsController.scala b/src/main/scala/app/SystemSettingsController.scala
index 560c54e..c952712 100644
--- a/src/main/scala/app/SystemSettingsController.scala
+++ b/src/main/scala/app/SystemSettingsController.scala
@@ -34,7 +34,8 @@
         "baseDN"                   -> trim(label("Base DN", text(required))),
         "userNameAttribute"        -> trim(label("User name attribute", text(required))),
         "mailAttribute"            -> trim(label("Mail address attribute", text(required))),
-        "tls"                      -> trim(label("Enable StartTLS", optional(boolean())))
+        "tls"                      -> trim(label("Enable StartTLS", optional(boolean()))),
+        "keystore"                 -> trim(label("Keystore", optional(text())))
     )(Ldap.apply))
   )(SystemSettings.apply)
 
diff --git a/src/main/scala/service/SystemSettingsService.scala b/src/main/scala/service/SystemSettingsService.scala
index 2c62047..ba57533 100644
--- a/src/main/scala/service/SystemSettingsService.scala
+++ b/src/main/scala/service/SystemSettingsService.scala
@@ -33,6 +33,7 @@
           props.setProperty(LdapUserNameAttribute, ldap.userNameAttribute)
           props.setProperty(LdapMailAddressAttribute, ldap.mailAttribute)
           ldap.tls.foreach(x => props.setProperty(LdapTls, x.toString))
+          ldap.keystore.foreach(x => props.setProperty(LdapKeystore, x))
         }
       }
       props.store(new java.io.FileOutputStream(GitBucketConf), null)
@@ -71,7 +72,8 @@
             getValue(props, LdapBaseDN, ""),
             getValue(props, LdapUserNameAttribute, ""),
             getValue(props, LdapMailAddressAttribute, ""),
-            getOptionValue[Boolean](props, LdapTls, None)))
+            getOptionValue[Boolean](props, LdapTls, None),
+            getOptionValue(props, LdapKeystore, None)))
         } else {
           None
         }
@@ -100,7 +102,8 @@
     baseDN: String,
     userNameAttribute: String,
     mailAttribute: String,
-    tls: Option[Boolean])
+    tls: Option[Boolean],
+    keystore: Option[String])
 
   case class Smtp(
     host: String,
@@ -113,6 +116,7 @@
 
   val DefaultSmtpPort = 25
   val DefaultLdapPort = 389
+  val DefaultLdapKeystore = "/var/lib/gitbucket/keystore"
 
   private val AllowAccountRegistration = "allow_account_registration"
   private val Gravatar = "gravatar"
@@ -133,6 +137,7 @@
   private val LdapUserNameAttribute = "ldap.username_attribute"
   private val LdapMailAddressAttribute = "ldap.mail_attribute"
   private val LdapTls = "ldap.tls"
+  private val LdapKeystore = "ldap.keystore"
 
   private def getValue[A: ClassTag](props: java.util.Properties, key: String, default: A): A =
     defining(props.getProperty(key)){ value =>
diff --git a/src/main/scala/util/LDAPUtil.scala b/src/main/scala/util/LDAPUtil.scala
index d6ef2a9..3f0bad8 100644
--- a/src/main/scala/util/LDAPUtil.scala
+++ b/src/main/scala/util/LDAPUtil.scala
@@ -26,7 +26,8 @@
       ldapSettings.port.getOrElse(SystemSettingsService.DefaultLdapPort),
       ldapSettings.bindDN.getOrElse(""),
       ldapSettings.bindPassword.getOrElse(""),
-      ldapSettings.tls.getOrElse(false)
+      ldapSettings.tls.getOrElse(false),
+      ldapSettings.keystore.getOrElse(SystemSettingsService.DefaultLdapKeystore)
     ) match {
       case Some(conn) => {
         withConnection(conn) { conn =>
@@ -46,7 +47,8 @@
       ldapSettings.port.getOrElse(SystemSettingsService.DefaultLdapPort),
       userDN,
       password,
-      ldapSettings.tls.getOrElse(false)
+      ldapSettings.tls.getOrElse(false),
+      ldapSettings.keystore.getOrElse(SystemSettingsService.DefaultLdapKeystore)
     ) match {
       case Some(conn) => {
         withConnection(conn) { conn =>
@@ -60,10 +62,14 @@
     }
   }
 
-  private def bind(host: String, port: Int, dn: String, password: String, tls: Boolean): Option[LDAPConnection] = {
+  private def bind(host: String, port: Int, dn: String, password: String, tls: Boolean, keystore: String): Option[LDAPConnection] = {
     if (tls) {
       // Dynamically set Sun as the security provider
       Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider())
+
+      // Dynamically set the property that JSSE uses to identify
+      // the keystore that holds trusted root certificates
+      System.setProperty("javax.net.ssl.trustStore", keystore);
     }
 
     val conn: LDAPConnection = new LDAPConnection(new LDAPJSSEStartTLSFactory())
diff --git a/src/main/twirl/admin/system.scala.html b/src/main/twirl/admin/system.scala.html
index 6344943..26c2087 100644
--- a/src/main/twirl/admin/system.scala.html
+++ b/src/main/twirl/admin/system.scala.html
@@ -101,6 +101,13 @@
                 </label>
               </div>
             </div>
+            <div class="control-group">
+              <label class="control-label" for="ldapBindDN">Keystore</label>
+              <div class="controls">
+                <input type="text" id="ldapKeystore" name="ldap.keystore" value="@settings.ldap.map(_.keystore)"/>
+                <span id="error-ldap_keystore" class="error"></span>
+              </div>
+            </div>
           </div>
           <!--====================================================================-->
           <!-- Notification email -->