The Dockerfile for creating the GraphDB image is available on GitHub. Copy the Dockerfile and the Makefile to any directory on your machine. In the Dockerfile, as part of the RUN command you need to add all commands that are needed to use self-signed certificates. You can also change any other GraphDB configurations. If the ca.crt is the public key certificate it is by definition public and it does not contain any information that allows one to impersonate the server that has the corresponding private key certificate. So it is safe to add the file to the repo, but... there is a better solution: Get dynamically the public key certificate from the server.
(To generate an unencrypted key/certificate pair, refer to Generating an Unencrypted Private Key and Self-Signed Public Certificate.) General Information. When operating in a FIPS-approved mode, PKI key/certificates must be between 1024- bits and 4096-bits, inclusive. The supported cipher combinations allowed for SSL negotiation are limited to: