Open Closed

Openiddict not switching to new (unexpired) certificates when available and refusing expired ones. #9974


User avatar
0
dmeagor created

Updated: I realise why it's not switching to the new certificate now, issue with the link query below. Question remains why does it not work with expired certs regardless?

This is the code, if it pulls an expired cert if fails.

var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certificate = store.Certificates.Find(
    X509FindType.FindBySubjectDistinguishedName,
    "CN=cert.mycompany.com",
    validOnly: false  // This allows expired certificates
).First();  // Takes the first match

serverBuilder.AddSigningCertificate(certificate);
serverBuilder.AddEncryptionCertificate(certificate);

The question isn't whether it's pulling out the correct cert (I can see theres an issue with the query), but why the expired ones are being refused at all.

How OpenIddict Handles Certificates According to the OpenIddict documentation:

When you call AddSigningCertificate(certificate) with a specific X509Certificate2 object, OpenIddict uses it directly without validating expiration dates


1 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent

    To ensure OpenIddict uses the latest (unexpired) certificates and avoids downtime when certificates expire, you need to register both the new and old certificates in the credentials collection during key rollover. OpenIddict will only use valid (unexpired) certificates for signing and encryption, and will refuse expired ones. If only expired certificates are present, authentication will fail and your site will go offline.

    Solution Steps:

    1. Register Multiple Certificates for Key Rollover:
      • When you renew your certificate (e.g., every 3 months with Let's Encrypt), add both the new and the previous certificate in your OpenIddict configuration. This allows OpenIddict to use the valid one and ignore expired ones.
      • Example:
    PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
         {
             serverBuilder.AddSigningCertificate(new X509Certificate2("old-cert.pfx", "oldPassword"));
             serverBuilder.AddSigningCertificate(new X509Certificate2("new-cert.pfx", "newPassword"));
         });
    
    • Remove the expired certificate after confirming the new one is in use.
    1. Automate Certificate Renewal and Reload:

      • Automate the process of copying the new certificate to your deployment and updating the configuration.
      • Restart the AuthServer application after updating certificates to ensure OpenIddict reloads them.
    2. Self-Signed/Expired Certificates:

      • OpenIddict does not allow expired certificates for security reasons.
      • For development, you can use self-signed certificates, but for production, always use valid, non-expired certificates.
    3. Troubleshooting:

      • If you see errors like When using X.509 encryption credentials, at least one of the registered certificates must be valid, it means all provided certificates are expired or invalid.
      • Ensure the .pfx file is present, the password is correct, and the certificate is not expired.

    References:

    This approach ensures seamless certificate rollover and prevents downtime due to expired certificates.


    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.1.0-preview. Updated on October 07, 2025, 05:59