Share via

How to fix:

Your Highness 0 Reputation points
2026-04-01T04:49:23.13+00:00

AADSTS500191: The certificate authority that issued your certificate has not been set up in the tenant.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shubham Sharma 15,500 Reputation points Microsoft External Staff Moderator
    2026-04-01T06:55:22.1133333+00:00

    Hello Your Highness

    Thank you for reaching out to Microsoft Q&A.

    AADSTS500191 error means Azure AD doesn’t yet trust the CA that issued your client certificate. On macOS the fix is the same as on other platforms: you have to register your issuing CA as a trusted certificate authority in your Entra tenant (and/or upload the specific client cert to your app registration). Here’s what to do:

    1. Export your Root CA (or issuing CA) public certificate in .cer or .pem format.
    2. In the Azure portal go to Azure Active Directory → Security → Authentication methods → Certificate-based authentication.
    3. Under “Trusted certificate authorities,” click “Add,” give it a name, and upload your CA public cert.
    4. Optionally configure any certificate policies (issuer subject name, user mappings, etc.).
    5. Save and wait ~5–10 minutes for it to propagate.

    If you’re using a certificate on an App Registration (for service-to-service auth):

    • Go to Azure Active Directory → App registrations → [Your App] → Certificates & secrets.
    • Click “Upload certificate” and select your client cert or a certificate chain file.

    On macOS, make sure your client cert and private key are installed in the login keychain (for example via security import mycert.pfx -k ~/Library/Keychains/login.keychain) and that whatever tool or SDK you’re using points to that keychain item.

    Once your CA (or client cert) is trusted by the tenant, retry your sign-in and the AADSTS500191 error should go away.

    Please let us know the above steps helps.

    Reference list

    • How to set up Microsoft Entra ID for client authentication

    https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-creation-via-arm#set-up-azure-active-directory-for-client-authentication

    • Common questions and solutions for Microsoft Entra configuration

    https://github.com/Azure/Service-Fabric-Troubleshooting-Guides/blob/master/Security/README.md#aad-configuration

    • How to assign users to a role

    https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-creation-via-arm#assign-users-to-roles

    • Service Fabric security concepts

    https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-security

    • Service Fabric security recommendations

    https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-security#security-recommendations

    Was this answer helpful?

    0 comments
  2. Q&A Assist
    2026-04-01T04:49:34.7933333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To fix error AADSTS500191: The certificate authority that issued your certificate has not been set up in the tenant, configure the issuing certificate authority (CA) in Microsoft Entra ID for certificate-based authentication.

    Follow these steps:

    1. Ensure the correct CA certificates are available
      • Export the public certificates for the issuing CA chain:
        • Root CA (*.cer)
        • Any intermediate CAs (*.cer)
      • Make sure the CRL (Certificate Revocation List) endpoints in these certificates are reachable from Microsoft Entra ID (internet-facing HTTP URLs only; OCSP/LDAP are not supported).
    2. Configure the CA in Microsoft Entra admin center
      1. Sign in to the Microsoft Entra admin center as a Global Administrator.
      2. Go to Entra IDIdentity Secure ScoreCertificate authorities.
      3. Select Upload.
        • Select the CA .cer file.
        • Choose Yes if it is a root certificate, otherwise No.
        • For Certificate Revocation List URL, enter the internet-facing base CRL URL for that CA. If this URL is not set, authentication with revoked certificates will not fail.
        • Optionally set the Delta Certificate Revocation List URL for the delta CRL.
      4. Select Add.
      5. If upload fails because an existing CA is expired, delete the expired CA entry and retry the upload.
    3. Configure CA via Microsoft Graph PowerShell (optional/advanced)
      • Install and connect Microsoft Graph PowerShell: 
             Install-Module Microsoft.Graph
     Connect-MgGraph
      • Retrieve current CA configuration: 
             Get-MgOrganizationCertificateBasedAuthConfiguration
      • Use the certificate-based auth configuration cmdlets to add or update the trusted CAs as required.
    4. Verify trust and CRL resolution on ADFS/WAP (if using federated CBA)
      • Ensure the root CA .cer is in Trusted Root Certification Authorities and intermediate CAs are in Intermediate Certification Authorities on ADFS and Web Application Proxy servers (certlm.msc or certutil -verifystore root and certutil -verifystore CA).
      • Confirm ADFS and WAP can resolve the CRL endpoints present in the intermediate CA and user certificates.

    Once the issuing CA (and its CRL URLs) is correctly configured and trusted in the tenant, certificate-based sign-in should succeed and AADSTS500191 should no longer occur.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.