diff --git a/compose.production.yml b/compose.production.yml
index e6f140d4..52a46a17 100644
--- a/compose.production.yml
+++ b/compose.production.yml
@@ -47,21 +47,25 @@ services:
             file: ./compose.yml
             service: idp
         # TODO Replace with proper production command
-        command: ['start-dev', '--http-port', '7080', '--https-port', '7443', '--import-realm']
+        command: ['start', '--http-port', '7080', '--https-port', '7443', '--import-realm']
         networks:
             - dwengo-1
         labels:
             - 'traefik.enable=true'
             - 'traefik.http.routers.idp.rule=PathPrefix(`/idp`)'
             - 'traefik.http.services.idp.loadbalancer.server.port=7080'
+            - "traefik.tcp.routers.idp.tls.passthrough=true"  # Keycloak expects TLS in production mode, so it can't be terminated by the reverse proxy
+        volumes:
+            - /etc/keycloak:/opt/keycloak/
         env_file:
             - ./config/idp/.env
         environment:
             KC_HOSTNAME: 'sel2-1.ugent.be'
             PROXY_ADDRESS_FORWARDING: 'true'
             KC_PROXY_HEADERS: 'xforwarded'
-            KC_HTTP_ENABLED: 'true'
             KC_HTTP_RELATIVE_PATH: '/idp'
+            KC_HTTPS_CERTIFICATE_FILE: '/opt/keycloak/cert.pem'
+            KC_HTTPS_CERTIFICATE_KEY_FILE: '/opt/keycloak/key.pem'
 
     reverse-proxy:
         image: traefik:v3.3