Updated: I realise why it's not switching to the new certificate now, issue with the link query below. Question remains why does it not work with expired certs regardless?
This is the code, if it pulls an expired cert if fails.
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certificate = store.Certificates.Find(
X509FindType.FindBySubjectDistinguishedName,
"CN=cert.mycompany.com",
validOnly: false // This allows expired certificates
).First(); // Takes the first match
serverBuilder.AddSigningCertificate(certificate);
serverBuilder.AddEncryptionCertificate(certificate);
The question isn't whether it's pulling out the correct cert (I can see theres an issue with the query), but why the expired ones are being refused at all.
How OpenIddict Handles Certificates According to the OpenIddict documentation:
When you call AddSigningCertificate(certificate) with a specific X509Certificate2 object, OpenIddict uses it directly without validating expiration dates
1 Answer(s)
-
0
To ensure OpenIddict uses the latest (unexpired) certificates and avoids downtime when certificates expire, you need to register both the new and old certificates in the credentials collection during key rollover. OpenIddict will only use valid (unexpired) certificates for signing and encryption, and will refuse expired ones. If only expired certificates are present, authentication will fail and your site will go offline.
Solution Steps:
- Register Multiple Certificates for Key Rollover:
- When you renew your certificate (e.g., every 3 months with Let's Encrypt), add both the new and the previous certificate in your OpenIddict configuration. This allows OpenIddict to use the valid one and ignore expired ones.
- Example:
PreConfigure<OpenIddictServerBuilder>(serverBuilder => { serverBuilder.AddSigningCertificate(new X509Certificate2("old-cert.pfx", "oldPassword")); serverBuilder.AddSigningCertificate(new X509Certificate2("new-cert.pfx", "newPassword")); });- Remove the expired certificate after confirming the new one is in use.
Automate Certificate Renewal and Reload:
- Automate the process of copying the new certificate to your deployment and updating the configuration.
- Restart the AuthServer application after updating certificates to ensure OpenIddict reloads them.
Self-Signed/Expired Certificates:
- OpenIddict does not allow expired certificates for security reasons.
- For development, you can use self-signed certificates, but for production, always use valid, non-expired certificates.
Troubleshooting:
- If you see errors like
When using X.509 encryption credentials, at least one of the registered certificates must be valid, it means all provided certificates are expired or invalid. - Ensure the
.pfxfile is present, the password is correct, and the certificate is not expired.
- If you see errors like
References:
- OpenIddict Deployment & Certificate Management
- Fixing OpenIddict Certificate Issues in IIS or Azure
- OpenIddict Without PFX in Shared Hosting
This approach ensures seamless certificate rollover and prevents downtime due to expired certificates.
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
- Register Multiple Certificates for Key Rollover:
