Certificate validation
8 views
Skip to first unread message
Peter Heinemann
Jun 3, 2026, 1:15:49 PM (yesterday) Jun 3
to pwm-general
We're using PWM 2.02; this is also related to the oauth idserver certificate.
Following on the concluding comment in
https://groups.google.com/g/pwm-general/c/Xzk8hzVUSRM/m/y4CsMIWtBAAJ
" If you are using the most recent version of PWM and have the setting ' Settings ⇨ Security ⇨ Application Security ⇨ Certificate Validation Mode' set to CA, then only the CA of the cert is validated. The server and intermediate certs can change as long as they are still signed by the same root cert. This is the default behavior for new configs."
Our config uses the default as above.
The oauth server presents:
depth=3 C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign Root CA - G1
verify return:1
depth=2 C = IN, O = eMudhra Technologies Limited, CN = emSign Root TLS CA - G1
verify return:1
depth=1 C = US, O = Internet2, CN = InCommon Intermediate CA - OVG2C
verify return:1
depth=0 C = US, ST = sate, L = city O = org, CN = endEntity
verify return:1
DONE
PWM is configured with this root cert at oauth.idserver.serverCerts:
subject=C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign Root CA - G1
issuer=C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign Root CA - G1
But the connection fails with:
5059 ERROR_CERTIFICATE_ERROR (server certificate subject=CN=endEntity is not signed by configured ROOT CA certificate(s): server certificate subject=CN=endEntity is not trusted by ROOT CA subject=CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN,
Shouldn't that root certificate be sufficient?
Following on the concluding comment in
https://groups.google.com/g/pwm-general/c/Xzk8hzVUSRM/m/y4CsMIWtBAAJ
" If you are using the most recent version of PWM and have the setting ' Settings ⇨ Security ⇨ Application Security ⇨ Certificate Validation Mode' set to CA, then only the CA of the cert is validated. The server and intermediate certs can change as long as they are still signed by the same root cert. This is the default behavior for new configs."
Our config uses the default as above.
The oauth server presents:
depth=3 C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign Root CA - G1
verify return:1
depth=2 C = IN, O = eMudhra Technologies Limited, CN = emSign Root TLS CA - G1
verify return:1
depth=1 C = US, O = Internet2, CN = InCommon Intermediate CA - OVG2C
verify return:1
depth=0 C = US, ST = sate, L = city O = org, CN = endEntity
verify return:1
DONE
PWM is configured with this root cert at oauth.idserver.serverCerts:
subject=C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign Root CA - G1
issuer=C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign Root CA - G1
But the connection fails with:
5059 ERROR_CERTIFICATE_ERROR (server certificate subject=CN=endEntity is not signed by configured ROOT CA certificate(s): server certificate subject=CN=endEntity is not trusted by ROOT CA subject=CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN,
Shouldn't that root certificate be sufficient?
Reply all
Reply to author
Forward
0 new messages