diff --git a/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwks.erl b/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwks.erl
index ffaad03b90ed..6975d7974197 100644
--- a/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwks.erl
+++ b/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwks.erl
@@ -1,5 +1,5 @@
 -module(uaa_jwks).
--export([get/1]).
+-export([get/1, ssl_options/0]).
 
 -spec get(string() | binary()) -> {ok, term()} | {error, term()}.
 get(JwksUrl) ->
diff --git a/deps/rabbitmq_auth_backend_oauth2/test/unit_SUITE.erl b/deps/rabbitmq_auth_backend_oauth2/test/unit_SUITE.erl
index 8395909dbda3..edda0445ffa6 100644
--- a/deps/rabbitmq_auth_backend_oauth2/test/unit_SUITE.erl
+++ b/deps/rabbitmq_auth_backend_oauth2/test/unit_SUITE.erl
@@ -48,7 +48,9 @@ all() ->
         test_unsuccessful_access_with_a_token_that_uses_missing_scope_alias_in_scope_field,
         test_successful_access_with_a_token_that_uses_single_scope_alias_in_extra_scope_source_field,
         test_successful_access_with_a_token_that_uses_multiple_scope_aliases_in_extra_scope_source_field,
-        test_unsuccessful_access_with_a_token_that_uses_missing_scope_alias_in_extra_scope_source_field
+        test_unsuccessful_access_with_a_token_that_uses_missing_scope_alias_in_extra_scope_source_field,
+        test_default_ssl_options,
+        test_default_ssl_options_with_cacertfile
     ].
 
 init_per_suite(Config) ->
@@ -88,6 +90,10 @@ init_per_testcase(test_post_process_payload_rich_auth_request_using_regular_expr
   application:set_env(rabbitmq_auth_backend_oauth2, resource_server_id, <<"rabbitmq-test">>),
   Config;
 
+init_per_testcase(test_default_ssl_options_with_cacertfile, Config) ->
+  application:set_env(rabbitmq_auth_backend_oauth2, key_config, [{ cacertfile, filename:join(["testca", "cacert.pem"]) }] ),
+  Config;
+
 init_per_testcase(_, Config) ->
   Config.
 
@@ -96,6 +102,10 @@ end_per_testcase(test_post_process_token_payload_complex_claims, Config) ->
   application:set_env(rabbitmq_auth_backend_oauth2, resource_server_id, undefined),
   Config;
 
+end_per_testcase(test_default_ssl_options_with_cacertfile, Config) ->
+  application:set_env(rabbitmq_auth_backend_oauth2, key_config, undefined),
+  Config;
+
 end_per_testcase(_, Config) ->
   Config.
 
@@ -1344,7 +1354,24 @@ test_validate_payload_when_verify_aud_false(_) ->
                         <<"scope">> => [<<"bar">>, <<"other.third">>]}},
                  rabbit_auth_backend_oauth2:validate_payload(WithAudWithUnknownResourceId, ?RESOURCE_SERVER_ID, ?DEFAULT_SCOPE_PREFIX)).
 
-
+test_default_ssl_options(_) ->
+  ?assertEqual([
+              {verify, verify_none},
+              {depth, 10},
+              {fail_if_no_peer_cert, false},
+              {crl_check, false},
+              {crl_cache, {ssl_crl_cache, {internal, [{http, 10000}]}}}
+              ], uaa_jwks:ssl_options()).
+
+test_default_ssl_options_with_cacertfile(_) ->
+  ?assertEqual([
+              {verify, verify_none},
+              {depth, 10},
+              {fail_if_no_peer_cert, false},
+              {crl_check, false},
+              {crl_cache, {ssl_crl_cache, {internal, [{http, 10000}]}}},
+              {cacertfile, filename:join(["testca", "cacert.pem"])}
+              ], uaa_jwks:ssl_options()).
 
 %%
 %% Helpers