diff --git a/docs/docs/documentation/getting-started/installation/backend-config.md b/docs/docs/documentation/getting-started/installation/backend-config.md
index 45c7f1949e2..42d585eb71c 100644
--- a/docs/docs/documentation/getting-started/installation/backend-config.md
+++ b/docs/docs/documentation/getting-started/installation/backend-config.md
@@ -99,6 +99,7 @@ For usage, see [Usage - OpenID Connect](../authentication/oidc.md)
 | OIDC_REMEMBER_ME       |  False  | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked |
 | OIDC_SIGNING_ALGORITHM |  RS256  | The algorithm used to sign the id token (examples: RS256, HS256)                                                                                                                                          |
 | OIDC_USER_CLAIM        |  email  | Optional: 'email', 'preferred_username'                                                                                                                                                                   |
+| OIDC_TLS_CACERTFILE    | None    | File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`) |
 
 ### Themeing
 
diff --git a/mealie/core/security/providers/openid_provider.py b/mealie/core/security/providers/openid_provider.py
index 77e1927472f..ebc021838cc 100644
--- a/mealie/core/security/providers/openid_provider.py
+++ b/mealie/core/security/providers/openid_provider.py
@@ -119,20 +119,27 @@ def get_jwks() -> KeySet | None:
 
         if not (settings.OIDC_READY and settings.OIDC_CONFIGURATION_URL):
             return None
-        configuration = None
-        with requests.get(settings.OIDC_CONFIGURATION_URL, timeout=5) as config_response:
-            config_response.raise_for_status()
-            configuration = config_response.json()
+
+        session = requests.Session()
+        if settings.OIDC_TLS_CACERTFILE:
+            session.verify = settings.OIDC_TLS_CACERTFILE
+
+        config_response = session.get(settings.OIDC_CONFIGURATION_URL, timeout=5)
+        config_response.raise_for_status()
+        configuration = config_response.json()
 
         if not configuration:
             OpenIDProvider._logger.warning("[OIDC] Unable to fetch configuration from the OIDC_CONFIGURATION_URL")
+            session.close()
             return None
 
         jwks_uri = configuration.get("jwks_uri", None)
         if not jwks_uri:
             OpenIDProvider._logger.warning("[OIDC] Unable to find the jwks_uri from the OIDC_CONFIGURATION_URL")
+            session.close()
             return None
 
-        with requests.get(jwks_uri, timeout=5) as response:
-            response.raise_for_status()
-            return JsonWebKey.import_key_set(response.json())
+        response = session.get(jwks_uri, timeout=5)
+        response.raise_for_status()
+        session.close()
+        return JsonWebKey.import_key_set(response.json())
diff --git a/mealie/core/settings/settings.py b/mealie/core/settings/settings.py
index f035bbbc795..8c8767902bc 100644
--- a/mealie/core/settings/settings.py
+++ b/mealie/core/settings/settings.py
@@ -192,6 +192,7 @@ def LDAP_ENABLED(self) -> bool:
     OIDC_REMEMBER_ME: bool = False
     OIDC_SIGNING_ALGORITHM: str = "RS256"
     OIDC_USER_CLAIM: str = "email"
+    OIDC_TLS_CACERTFILE: str | None = None
 
     @property
     def OIDC_READY(self) -> bool: