diff --git a/internal/configs/oidc/oidc.conf b/internal/configs/oidc/oidc.conf
index 67e1a84f2f..e7b4c5209d 100644
--- a/internal/configs/oidc/oidc.conf
+++ b/internal/configs/oidc/oidc.conf
@@ -12,7 +12,12 @@
         proxy_cache jwk;                              # Cache the JWK Set received from IdP
         proxy_cache_valid 200 12h;                    # How long to consider keys "fresh"
         proxy_cache_use_stale error timeout updating; # Use old JWK Set if cannot reach IdP
-        proxy_ssl_server_name on;                     # For SNI to the IdP
+
+        proxy_ssl_verify on;                          # Enforce TLS certificate verification
+        proxy_ssl_verify_depth 2;                     # Allow intermediate CA chains of depth 2
+        proxy_ssl_server_name on;                     # Send SNI to IdP host
+        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # Use system CA bundle
+
         proxy_method GET;                             # In case client request was non-GET
         proxy_set_header Content-Length "";           # ''
         proxy_pass $oidc_jwt_keyfile;                 # Expecting to find a URI here
@@ -42,7 +47,11 @@
         # Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID)
         proxy_pass_request_headers off;
 
-        proxy_ssl_server_name on; # For SNI to the IdP
+        proxy_ssl_verify on;         # Enforce TLS certificate verification
+        proxy_ssl_verify_depth 2;    # Allow intermediate CA chains of depth 2
+        proxy_ssl_server_name on;    # Send SNI to IdP host
+        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # Use system CA bundle
+
         proxy_set_header      Content-Type "application/x-www-form-urlencoded";
         proxy_set_header      Authorization $arg_secret_basic;
         proxy_pass            $oidc_token_endpoint;
@@ -57,7 +66,11 @@
         # Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID)
         proxy_pass_request_headers off;
 
-        proxy_ssl_server_name on; # For SNI to the IdP
+        proxy_ssl_verify on;         # Enforce TLS certificate verification
+        proxy_ssl_verify_depth 2;    # Allow intermediate CA chains of depth 2
+        proxy_ssl_server_name on;    # Send SNI to IdP host
+        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # Use system CA bundle
+
         proxy_set_header      Content-Type "application/x-www-form-urlencoded";
         proxy_set_header      Authorization $arg_secret_basic;
         proxy_pass            $oidc_token_endpoint;