FIDO2 Yubikey registration not working after enable LDAPS

Hi everyone,
We are running Keycloak with Postgres DB both in a docker container. Our use case is to have users authenticated towards Active Directory and as an additional factor, the users needs to register a FIDO2 YubiKey Bio device. The Yubikey model was fixed by setting up an “Acceptable AAGUIDs”. On Keycloak we also setup TLS according the official guide Configuring TLS - Keycloak (Providing certificates in PEM format). The certificate was created from a own CA, as the system is isolated from internet.
All was working fine. Then I was asked to setup LDAPS for the connection between Keycloak and Active Directory. I implemented this according the official guide Configuring trusted certificates for outgoing requests - Keycloak with a SPI Truststore. All is still working for the authentication of existing users. But for some reasons, I am not able to register new Yubikeys for any users. Doing so, I am getting the error: “Failed to register your Security key. invalid cert path”
I found out, that this is just the case when having the filter for the Yubikey in place with the setting in “Authentication → Policies → Webauthn Policy → Acceptable AAGUIDs → d8522d9f-575b-4866-88a9-ba99fa02f35b” together with the setting “Authentication → Policies → Webauthn Policy → Attestation conveyance preference → Direct”. When removing this two settings, all works fine but like this, I can not define that only the specific Yubikeys should be accepted.
I have also seen this forum entry, which is somehow the same issue: WebAuthn Register Key Fails, invalid cert path
I tried the solution mentioned there without success.
And in this Red Hat KB the issue sounds the same as well: invalid cert path error while registering WebAuthn authenticator in RH-SSO - Red Hat Customer Portal
I am not sure about the solution mentioned there, as I do not have a RH-SSO truststore at all.

This is my docker compose file I run together with an environment file .env:

version: "3.8"

    image: "${KC_VERSION:?err}"
    restart: always
    command: start-dev
      KC_DB: postgres
      KC_DB_URL_HOST: postgres_keycloak
      - ${KC_HTTP_PORT}:8080
      - ${KC_HTTPS_PORT}:8443
        condition: service_healthy
      - ./certs:/etc/ssl/c2i-certs
      - keycloak_network

    image:  "postgres:${POSTGRES_VERSION:?err}"
    restart: always
      - ./data/postgresql/data:/var/lib/postgresql/data
      test: ["CMD", "pg_isready", "-U", "${KC_DB_USERNAME}"]
      interval: 10s
      start_period: 5s
      - keycloak_network

    driver: bridge

I am running keycloak in version 23.0.4.

I have also tried to have TLS enabled with a Java keystore instead of setting the PEM files with the following env variables:


And add an additional Java truststore for HTTPS with the following env variables:


The variables are pointing to the same Trusstore I am using for the SPI Truststore, as the CA Cert is the same that is signing the Active Directory and the keycloak https cert.

This are the logs I am getting from keycloak:

keycloak-keycloak-1           | 2024-01-22 15:14:03,524 DEBUG [org.keycloak.authentication.requiredactions.WebAuthnRegister] (executor-thread-13) invalid cert path: com.webauthn4j.validator.exception.CertificateException: invalid cert path
keycloak-keycloak-1           |         at com.webauthn4j.validator.attestation.trustworthiness.certpath.CertPathTrustworthinessValidatorBase.validate(
keycloak-keycloak-1           |         at com.webauthn4j.validator.AttestationValidator.validate(
keycloak-keycloak-1           |         at com.webauthn4j.validator.RegistrationDataValidator.validate(
keycloak-keycloak-1           |         at com.webauthn4j.WebAuthnRegistrationManager.validate(
keycloak-keycloak-1           |         at org.keycloak.authentication.requiredactions.WebAuthnRegister.processAction(
keycloak-keycloak-1           |         at
keycloak-keycloak-1           |         at
keycloak-keycloak-1           |         at$quarkusrestinvoker$requiredActionPOST_677a8efd4e80bfe1b3aa5a0d6fca2043252c9624.invoke(Unknown Source)
keycloak-keycloak-1           |         at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(
keycloak-keycloak-1           |         at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(
keycloak-keycloak-1           |         at
keycloak-keycloak-1           |         at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(
keycloak-keycloak-1           |         at org.jboss.threads.EnhancedQueueExecutor$
keycloak-keycloak-1           |         at org.jboss.threads.EnhancedQueueExecutor$
keycloak-keycloak-1           |         at
keycloak-keycloak-1           |         at
keycloak-keycloak-1           |         at
keycloak-keycloak-1           |         at java.base/
keycloak-keycloak-1           | Caused by: Path does not chain with any of the trust anchors
keycloak-keycloak-1           |         at java.base/
keycloak-keycloak-1           |         at java.base/
keycloak-keycloak-1           |         at java.base/
keycloak-keycloak-1           |         at com.webauthn4j.validator.attestation.trustworthiness.certpath.CertPathTrustworthinessValidatorBase.validate(
keycloak-keycloak-1           |         ... 17 more
keycloak-keycloak-1           |
keycloak-keycloak-1           | 2024-01-22 15:14:03,525 WARN  [org.keycloak.authentication.requiredactions.WebAuthnRegister] (executor-thread-13) webauthn-error-registration
keycloak-keycloak-1           | 2024-01-22 15:14:03,525 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-13) new JtaTransactionWrapper
keycloak-keycloak-1           | 2024-01-22 15:14:03,526 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-13) was existing? true
keycloak-keycloak-1           | 2024-01-22 15:14:03,529 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-13) JtaTransactionWrapper  commit
keycloak-keycloak-1           | 2024-01-22 15:14:03,529 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-13) JtaTransactionWrapper end
keycloak-keycloak-1           | 2024-01-22 15:14:03,529 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-13) JtaTransactionWrapper resuming suspended
keycloak-keycloak-1           | 2024-01-22 15:14:03,529 WARN  [] (executor-thread-13) type=CUSTOM_REQUIRED_ACTION_ERROR, realmId=1973b5a6-766b-4834-b182-378e7e4d36cb, clientId=myclient, userId=f:b6aeaed9-71ca-4ebb-8d89-3b8dd7b059f2:demo.mest, ipAddress=, error=invalid_registration, credential_type=webauthn, auth_method=openid-connect, web_authn_registration_error_detail='invalid cert path', custom_required_action=webauthn-register, response_type=code, web_authn_registration_error=webauthn-error-registration, redirect_uri=******/&realm=mest-realm&client=myclient, remember_me=false, code_id=82ac68cb-8eb6-42b7-b5c1-975540e2d632, response_mode=fragment, username=demo.mest

Has anybody some idea, what has to be done to fix this problem?
Thank you very much.

We were able to fix this problem.
The main problem here was, as soon you enable ldaps instead of ldap, keycloak enables all the security extensions. By enabling these security extensions, the certs installed on the Yubikeys are also checked towards a Yubikey CA trust anchor. To make this work, you have to import this Yubikey CA trust anchor into the SPI truststore as well (together with the Root CA that is signing the ldaps server cert). We found this out by analysing the Java class throwing the exception: com.webauthn4j.validator.attestation.trustworthiness.certpath.CertPathTrustworthinessValidatorBase.validate(

The Yubikey CA cert we found here:

After importing this Yubikey CA cert into SPI truststore as well and restart the keycloak container, registration of new Yubikeys (of the specific filtered “Acceptable AAGUIDs”) was possible again.