diff --git a/packages/backend/src/misc/gen-x509-cert-from-jwk.ts b/packages/backend/src/misc/gen-x509-cert-from-jwk.ts
index 2d5698daa..b2650a499 100644
--- a/packages/backend/src/misc/gen-x509-cert-from-jwk.ts
+++ b/packages/backend/src/misc/gen-x509-cert-from-jwk.ts
@@ -18,13 +18,13 @@ export async function genX509CertFromJWK(
 	cert.setSubject(attrs);
 	cert.setIssuer(attrs);
 	cert.publicKey = await jose
-		.importJWK(JSON.parse(publicKey), alg)
+		.importJWK(JSON.parse(publicKey), alg, { extractable: true })
 		.then((k) => jose.exportSPKI(k as jose.CryptoKey))
 		.then((k) => forge.pki.publicKeyFromPem(k));
 
 	cert.sign(
 		await jose
-			.importJWK(JSON.parse(privateKey), alg)
+			.importJWK(JSON.parse(privateKey), alg, { extractable: true })
 			.then((k) => jose.exportPKCS8(k as jose.CryptoKey))
 			.then((k) => forge.pki.privateKeyFromPem(k)),
 		forge.md.sha256.create(),
diff --git a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts
index fcae13987..b0399ad6e 100644
--- a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts
+++ b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts
@@ -238,7 +238,7 @@ export class SAMLIdentifyProviderService {
 			const idp = saml.IdentityProvider({
 				metadata: await this.createIdPMetadataXml(ssoServiceProvider),
 				privateKey: await jose
-					.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'), ssoServiceProvider.signatureAlgorithm)
+					.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'), ssoServiceProvider.signatureAlgorithm, { extractable: true })
 					.then(k => jose.exportPKCS8(k as jose.CryptoKey)),
 			});
 
@@ -392,7 +392,7 @@ export class SAMLIdentifyProviderService {
 				const idp = saml.IdentityProvider({
 					metadata: await this.createIdPMetadataXml(ssoServiceProvider),
 					privateKey: await jose
-						.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'), ssoServiceProvider.signatureAlgorithm)
+						.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'), ssoServiceProvider.signatureAlgorithm, { extractable: true })
 						.then(k => jose.exportPKCS8(k as jose.CryptoKey)),
 					loginResponseTemplate: { context: 'ignored' },
 				});