OPCFoundation · mrsuciu · Sep 23, 2025 · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025
diff --git a/Stack/Opc.Ua.Core/Security/Certificates/CertificateIdentifier.cs b/Stack/Opc.Ua.Core/Security/Certificates/CertificateIdentifier.cs
@@ -371,13 +371,16 @@ private static string GetDisplayName(X509Certificate2 certificate)
         /// </summary>
         /// <param name="collection"></param>
         /// <returns></returns>
-        static X509Certificate2 PickLongestDuration(X509Certificate2Collection collection)
+        static X509Certificate2 PickLongestDurationValidCerts(X509Certificate2Collection collection)
         {
             X509Certificate2 bestMatch = null;
             TimeSpan bestAvailability = TimeSpan.MinValue;
             DateTime bestNotAfter = DateTime.MinValue;
 
-            foreach (X509Certificate2 certificate in collection)
+            // Filter Valid certificates by time
+            X509Certificate2Collection validCertificates = collection.Find(X509FindType.FindByTimeValid, DateTime.Now, false);
+
+            foreach (X509Certificate2 certificate in validCertificates)
             {
                 TimeSpan availability = certificate.NotAfter - certificate.NotBefore;
 
@@ -456,7 +459,7 @@ public static X509Certificate2 Find(
                 }
                 if (matchesOnCriteria?.Count > 0)
                 {
-                    return PickLongestDuration(matchesOnCriteria);
+                    return PickLongestDurationValidCerts(matchesOnCriteria);
                 }
 
                 bool hasCommonName = subjectName.IndexOf("CN=", StringComparison.OrdinalIgnoreCase) >= 0;
@@ -485,7 +488,7 @@ public static X509Certificate2 Find(
                         }
                         if (matchesOnCriteria?.Count > 0)
                         {
-                            return PickLongestDuration(matchesOnCriteria);
+                            return PickLongestDurationValidCerts(matchesOnCriteria);
                         }
                     }
                 }
@@ -505,7 +508,7 @@ public static X509Certificate2 Find(
                     }
                     if (matchesOnCriteria?.Count > 0)
                     {
-                        return PickLongestDuration(matchesOnCriteria);
+                        return PickLongestDurationValidCerts(matchesOnCriteria);
                     }
                 }
             }
@@ -524,7 +527,7 @@ public static X509Certificate2 Find(
                 }
                 if (matchesOnCriteria?.Count > 0)
                 {
-                    return PickLongestDuration(matchesOnCriteria);
+                    return PickLongestDurationValidCerts(matchesOnCriteria);
                 }
             }
 

diff --git a/Tests/Opc.Ua.Core.Tests/Security/Certificates/CertificateStoreTest.cs b/Tests/Opc.Ua.Core.Tests/Security/Certificates/CertificateStoreTest.cs
@@ -649,26 +649,33 @@ public void FindInCollectionTest()
                 "CN=Opc.Ua.Core.Tests",
                 "urn:localhost:UA:Opc.Ua.Core.Tests",
                 validityMonths: 36);
-            X509Certificate2 certLongestDurationLatestNotAfter = CreateDuplicateCertificate(
+            X509Certificate2 certLongestDurationLatestNotAfterValid = CreateDuplicateCertificate(
                 "CN=Opc.Ua.Core.Tests",
                 "urn:localhost:UA:Opc.Ua.Core.Tests",
                 validityMonths: 36,
+                startingFromDays: -1);
+            X509Certificate2 certLongestDurationLatestNotAfterInValid = CreateDuplicateCertificate(
+                "CN=Opc.Ua.Core.Tests",
+                "urn:localhost:UA:Opc.Ua.Core.Tests",
+                validityMonths: 42,
                 startingFromDays: 1);
 
+
             var testCertificatesCollection = new[]
             {
                 certSubjectSubstring,
                 certSubjectWithCnDuplicate,
                 certSubjectWithoutCnDuplicate,
                 certApplicationUriDuplicate,
                 certLongestDuration,
-                certLongestDurationLatestNotAfter
+                certLongestDurationLatestNotAfterValid,
+                certLongestDurationLatestNotAfterInValid, // Never to be picked, just poisoned value
             };
 
             X509Certificate2 CreateDuplicateCertificate(string subjectName,
                 string applicationUri,
                 int validityMonths = 2,
-                int startingFromDays = -1)
+                int startingFromDays = -2)
             {
                 var certificateFactory = CertificateFactory.CreateCertificate(subjectName)
                     .SetNotBefore(startCreation.AddDays(startingFromDays))
@@ -740,7 +747,7 @@ X509Certificate2 CreateDuplicateCertificate(string subjectName,
                 null,
                 false);
             Assert.NotNull(resultSubjectWithCnDuplicate);
-            Assert.AreEqual(certLongestDurationLatestNotAfter.Thumbprint,
+            Assert.AreEqual(certLongestDurationLatestNotAfterValid.Thumbprint,
              resultSubjectWithCnDuplicate.Thumbprint);
 
             // Test that longest duration certificate is selected when multiple matches exist
@@ -753,7 +760,7 @@ X509Certificate2 CreateDuplicateCertificate(string subjectName,
                 null,
                 false);
             Assert.NotNull(resultLongestDuration);
-            Assert.AreEqual(certLongestDurationLatestNotAfter.Thumbprint,
+            Assert.AreEqual(certLongestDurationLatestNotAfterValid.Thumbprint,
              resultLongestDuration.Thumbprint);
 
             // Test search by applicationUri works for single match
@@ -776,7 +783,7 @@ X509Certificate2 CreateDuplicateCertificate(string subjectName,
                 null,
                 false);
             Assert.NotNull(resultApplicationUriDuplicate);
-            Assert.AreEqual(certLongestDurationLatestNotAfter.Thumbprint,
+            Assert.AreEqual(certLongestDurationLatestNotAfterValid.Thumbprint,
              resultApplicationUriDuplicate.Thumbprint);
         }