Forum Discussion

MVP

Nov 09, 2022

F5 OAUTH JWT error "failed trust verification with trusted CA bundle"

Hello to All, I tried using F5 as an OAUTH server that generates JWT tokens on 16.1.3.2 but I get the error "01071ca5:3: The JWK config (/Common/F5-CA) associated to OAuth profile (/Common/F5-O...

MVP

Nov 09, 2022

Hi Nikolay,

I have no experience with OAuth, but I found the following log message reference:

01071ca5 : The JWK config (%s) associated to OAuth %s (%s) failed trust verification with trusted CA bundle (%s).

Location:
/var/log/ltm

Conditions:
This is a common error for OAuth profile or OAuth provider page.

The JWK config, associated with a OAuth profile or provider, contains a certificate, certificate-chain, and trusted-ca bundle assigned to the OAuth profile or provider that failed a trust verification check. A trust verification check means that the certificate issuer is included within certificate-chain and that the issuer for certificate-chain is included in the trusted-ca bundle.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
* If a JWK config contains only a certificate, make sure to include the certificate issuer in the trusted-ca bundle.
* If a JWK config includes a certificate-chain, make sure that the certificate issuer is included in the certificate-chain. If there are multiple certificates in the certificate-chain, the issuer for all of the certificates must exist within the certificate-chain, except the last certificate. A certificate issuer for the last certificate-chain must be part of trusted-ca bundle.

Ref: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01071ca5

Nikoolayy1
MVP
Nov 09, 2022
Hello Enes_Afsin_Al ,

Thanks fo the reply as forgot to mention reference this article/bug that you shared is the first thing I checked and this why I am thinking to be a bug as I have generated my own CA cert on the F5 signed the keys with it and I get the error and in pictures I shared, it is seen that the same SSL cert is configured under the Oauth profile or the key config.

As a note I used https://jwt.io/ and article https://support.f5.com/csp/article/K07645403 to see the JWT and it has my user claim, so JWT is something that is much better than opaque tokens and I am thinking getting to the bottom of this may help other people as well. For now Octed JWT with shared secret is the workaround but for me it is less secure than JWT signed with SSL certs even the Octed JWT is rotated every month for example.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

F5 OAUTH JWT error "failed trust verification with trusted CA bundle"

01071ca5 : The JWK config (%s) associated to OAuth %s (%s) failed trust verification with trusted CA bundle (%s).

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

APM HTTP Connector request and HTTP Headers

Can't change sync type or failover after tenant upgrade.

F5OS (rseries 2800) in transparent mode

How to log HTTP/2 reset_stream

How can k8s CIS CRD VirtualServer reference existing APM Access profile?

Related Content

SSL Bridging verification

Google Authenticator Token Verification iRule For APM

ASM secheduled reports "SMTP Error: The following recipients failed"

Google Authenticator Verification iRule (TMOS v11.1+ optimized)

OS version verification

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS