Automatically generated certificates are not self-signed

[bitpavel-l25]

Describe the bug

Some services connected with SAML protocol verify certificate that is used to sign SAML response. And automatically generated Authentik certificates don't pass such check. Specifically, we faced such issue with Splunk service. We were forced to issue self-signed certificate manually to make it work with a command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 36500 -nodes -subj "/O=name.dns/OU=SSO/CN=sso.name.dns"
For comparison, Okta issues self-signed certificates for SAML applications as well, but they are really 'self-signed' and work correctly.

How to reproduce

1. Download default Authentik certificate, or generate a new one on System > Certificates page
2. Verify with a command openssl verify -CAfile ./cert.pem ./cert.pem. You will see:

CN=test, O=authentik, OU=Self-signed
error 20 at 0 depth lookup: unable to get local issuer certificate
error ./test_certificate.pem: verification failed

Expected behavior

openssl verify call has to print:
./cert.pem: OK

Screenshots

No response

Additional context

No response

Deployment Method

Docker

Version

2025.10.2

Relevant log output

[BeryJu]

@bitpavel-l25 after some testing in the PR linked above, python cryptography doesn't seem to agree and complains when the self-signed cert has the CA constraint set (as openssl seems to do), saying validation failed: basicConstraints.cA must not be asserted in an EE certificate

(ref pyca/cryptography#12267 (comment))

[bitpavel-l25]

@BeryJu Interesting point indeed, thank you.
What do you think about generating CA certificate, and using it to issue provider-specific certificates? We'll be able to import this CA certificate to services like Splank for SAML requests validation.
With such approach, the next interesting step may be to integrate Authentik with Hashicorp Vault and other analogues for issuing certificates. Thus, Authentik will be completely integrated into the corporate PKI, what provides your clients additional value. (Sounds like an reasonable feature for the Enterprise subscription).

[bitpavel-l25]

BTW, self-signed certificate issued by hashicorp/tls provider at Terraform is signed by itself. Looks like the industry doesn't have a consensus here.
Feel free to test it by yourself, using the code:

resource "tls_private_key" "selfsigned" {
  algorithm   = "RSA"
}

resource "tls_self_signed_cert" "selfsigned" {
  private_key_pem = tls_private_key.selfsigned.private_key_pem

  subject {
    common_name  = "example.com"
    organization = "ACME Examples, Inc"
  }

  validity_period_hours = 12

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}

resource "local_file" "selfsigned" {
  content  = tls_self_signed_cert.selfsigned.cert_pem
  filename = "${path.module}/cert.pem"
}

[bitpavel-l25]

Folks from pyca/cryptography reference to x509-limbo, that has only 55 GitHub stars. This doesn't look very convincing to me. OpenSSL is the industry standard, so personally I would focus on it first and foremost.

[authentik-automation]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.