diff --git a/authentik/crypto/builder.py b/authentik/crypto/builder.py
index 6166e6c0c..b3ffc9e55 100644
--- a/authentik/crypto/builder.py
+++ b/authentik/crypto/builder.py
@@ -58,7 +58,7 @@ class CertificateBuilder:
         self.__private_key = self.generate_private_key()
         self.__public_key = self.__private_key.public_key()
         alt_names: list[x509.GeneralName] = []
-        for alt_name in subject_alt_names:
+        for alt_name in subject_alt_names or []:
             if alt_name.strip() != "":
                 alt_names.append(x509.DNSName(alt_name))
         self.__builder = (
diff --git a/authentik/providers/oauth2/views/jwks.py b/authentik/providers/oauth2/views/jwks.py
index 2a1d3bea8..b6b397e66 100644
--- a/authentik/providers/oauth2/views/jwks.py
+++ b/authentik/providers/oauth2/views/jwks.py
@@ -96,14 +96,16 @@ class JWKSView(View):
         else:
             return key_data
         key_data["x5c"] = [b64encode(key.certificate.public_bytes(Encoding.DER)).decode("utf-8")]
-        key_data["x5t"] = urlsafe_b64encode(
-            key.certificate.fingerprint(hashes.SHA1())
-        ).decode(  # nosec
-            "utf-8"
-        ).rstrip("=")
-        key_data["x5t#S256"] = urlsafe_b64encode(
-            key.certificate.fingerprint(hashes.SHA256())
-        ).decode("utf-8").rstrip("=")
+        key_data["x5t"] = (
+            urlsafe_b64encode(key.certificate.fingerprint(hashes.SHA1()))  # nosec
+            .decode("utf-8")
+            .rstrip("=")
+        )
+        key_data["x5t#S256"] = (
+            urlsafe_b64encode(key.certificate.fingerprint(hashes.SHA256()))
+            .decode("utf-8")
+            .rstrip("=")
+        )
         return key_data
 
     def get(self, request: HttpRequest, application_slug: str) -> HttpResponse: