diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2
index 8a92792b895a8ada0a1fed8176ad6ea9cb44dac6..efe53c10942439e0f59afd1b74aeccc18bdd715e 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -52,15 +52,18 @@ listen odfeserv
 	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/odfe_whitelist.lst }
 	
 listen keycloakserv
-        bind *:12443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
-        mode http
+        # Keycloak needs to receive and check client certificates, which is easier when it handles TLS itself - so we use TCP mode here 
+        bind *:12443
+        mode tcp
         maxconn 5000
         fullconn 5000
         balance source
         option tcpka
-        option httplog
+        option tcp-check
+        option tcplog
+        tcp-check connect port 8443
 {% for keycloakhost in groups['keycloakcontainers'] %}
-	server {{keycloakhost}} {{keycloakhost}}:8443 ssl check verify none
+	server {{keycloakhost}} {{keycloakhost}}:8443 check
 {% endfor %}
 	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/keycloak_whitelist.lst }