OAuth and certificate issues

129 views
Skip to first unread message

William Pohlhaus

unread,
Mar 25, 2025, 2:07:25 PMMar 25
to pwm-general

Hi everyone,

For those using SSO OAuth with Entra, how are you managing the "OAuth Server Certificate" that you import from Microsoft?

We initially imported the certificate through the Configuration Editor from the server, which worked fine. However, over the past week, we have had to manually add two additional certificates and their intermediate certificates to the PWM configuration. This was necessary because we encountered repeated ERROR_CERTIFICATE_ERROR messages like the one below which were preventing our users from logging in:

2025-03-25T13:03:06Z, ERROR, oauth.OAuthConsumerServlet, {JkSY1} unexpected error communicating with oauth server: 5071 ERROR_OAUTH_ERROR (error during oauth code resolver http request to oauth server, remote error: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: 5059 ERROR_CERTIFICATE_ERROR (server certificate subject=CN=stamp2.login.microsoftonline.com, O=Microsoft Corporation, L=Redmond, ST=WA, C=US, serial=1137474497244329776268310819623939433294798145 is not signed by configured ROOT CA certificate(s): server certificate subject=CN=stamp2.login.microsoftonline.com, O=Microsoft Corporation, L=Redmond, ST=WA, C=US, serial=1137474497244329776268310819623939433294798145 is not trusted by ROOT CA subject=CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US, serial=3261708894152296593076398650851921056 server certificate subject=CN=stamp2.login.microsoftonline.com, O=Microsoft Corporation, L=Redmond, ST=WA, C=US, serial=1137474497244329776268310819623939433294798145 is not trusted by ROOT CA subject=CN=Microsoft Azure RSA TLS Issuing CA 03, O=Microsoft Corporation, C=US, serial=6777998955659694689652228948589800396 )))

Notably, the latest certificate that caused the issue was created this morning at 5:32 AM EDT.

My question is: Is there a way to configure PWM to automatically download and validate intermediate certificates along with the primary one from Microsoft? This would prevent us from having to monitor logs and manually update the "OAuth Server Certificate" every time Microsoft changes certificates. Or is there a setting in the Entra configuration that will force Microsoft to serve up the same certificate every time?

Any insights or suggestions would be greatly appreciated!

Thanks!

Adrian Puryear

unread,
May 22, 2025, 3:36:31 PMMay 22
to pwm-general
Hi William,

I was just starting into the OAuth configuration myself and was curious about the same thing.  Did you ever find a solution for this? Thanks!

Jason Rivard

unread,
May 22, 2025, 6:15:38 PMMay 22
to pwm-general
If you are using the most recent version of PWM and have the setting ' Settings ⇨ Security ⇨ Application Security ⇨ Certificate Validation Mode' set to CA, then only the CA of the cert is validated.  The server and intermediate certs can change as long as they are still signed by the same root cert.  This is the default behavior for new configs.
Reply all
Reply to author
Forward
0 new messages