Validate certificate domains match configuration before reuse

Connor Lee · Connor Lee · commit be816a0b5f1d · 2026-02-11T12:17:18.000-07:00
Previously, persisted certificates were reused based solely on expiry
dates. If the configured domain changed, the old certificate would
still be served. Now the validator checks the certificate's Subject
Alternative Names against LetsEncryptOptions.Domains and triggers a
renewal when they don't match.
diff --git a/src/PingmanTools.AspNet.EncryptWeMust/Certificates/CertificateValidator.cs b/src/PingmanTools.AspNet.EncryptWeMust/Certificates/CertificateValidator.cs
@@ -1,5 +1,7 @@
 using System;
+using System.Linq;
 using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using Microsoft.Extensions.Logging;
 using PingmanTools.AspNet.EncryptWeMust.Certes;
 
@@ -9,7 +11,7 @@ public interface ICertificateValidator
     {
         bool IsCertificateValid(IAbstractCertificate certificate);
     }
-    
+
     public class CertificateValidator : ICertificateValidator
     {
         private readonly LetsEncryptOptions _options;
@@ -29,21 +31,27 @@ public bool IsCertificateValid(IAbstractCertificate certificate)
             {
                 if (certificate == null)
                     return false;
-                
+
                 var now = DateTime.Now;
 
                 _logger.LogTrace("Validating cert UntilExpiry {UntilExpiry}, AfterIssue {AfterIssue} - {Certificate}",
                     _options.TimeUntilExpiryBeforeRenewal, _options.TimeAfterIssueDateBeforeRenewal, certificate);
-                    
+
+                if (certificate is LetsEncryptX509Certificate x509Cert && !DomainsCoverConfiguration(x509Cert))
+                {
+                    _logger.LogInformation("Certificate domains do not match configured domains. A new certificate will be requested.");
+                    return false;
+                }
+
                 if (_options.TimeUntilExpiryBeforeRenewal != null && certificate.NotAfter - now < _options.TimeUntilExpiryBeforeRenewal)
                     return false;
-                
+
                 if (_options.TimeAfterIssueDateBeforeRenewal != null && now - certificate.NotBefore > _options.TimeAfterIssueDateBeforeRenewal)
                     return false;
-                
+
                 if (certificate.NotBefore > now || certificate.NotAfter < now)
                     return false;
-                
+
                 return true;
             }
             catch (CryptographicException exc)
@@ -52,5 +60,24 @@ public bool IsCertificateValid(IAbstractCertificate certificate)
                 return false;
             }
         }
+
+        private bool DomainsCoverConfiguration(LetsEncryptX509Certificate certificate)
+        {
+            var configuredDomains = _options.Domains?.ToArray();
+            if (configuredDomains == null || configuredDomains.Length == 0)
+                return true;
+
+            var cert = certificate.GetCertificate();
+            var sanExtension = cert.Extensions["2.5.29.17"] as X509SubjectAlternativeNameExtension;
+
+            if (sanExtension == null)
+                return false;
+
+            var certDomains = sanExtension.EnumerateDnsNames().ToArray();
+
+            return configuredDomains.All(configured =>
+                certDomains.Any(certDomain =>
+                    string.Equals(certDomain, configured, StringComparison.OrdinalIgnoreCase)));
+        }
     }
 }
