From 9cb7c74e1ccc3fe31f78e97edfe13341c5f6a54d Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Mon, 26 Jan 2026 17:07:35 +0100
Subject: [PATCH] internal: fix certificate not refetched if fingerprint
 changes (#19761)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 internal/outpost/ak/crypto.go | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/internal/outpost/ak/crypto.go b/internal/outpost/ak/crypto.go
index afab8015d3..9bf647384d 100644
--- a/internal/outpost/ak/crypto.go
+++ b/internal/outpost/ak/crypto.go
@@ -29,10 +29,13 @@ func NewCryptoStore(cryptoApi *api.CryptoApiService) *CryptoStore {
 }
 
 func (cs *CryptoStore) AddKeypair(uuid string) error {
-	// If they keypair was already added, don't
-	// do it again
-	if _, ok := cs.fingerprints[uuid]; ok {
-		return nil
+	// Check if the cached fingerprint matches the certificate,
+	// if not, we re-fetch it
+	if sfp, ok := cs.fingerprints[uuid]; ok {
+		fp := cs.getFingerprint(uuid)
+		if sfp == fp {
+			return nil
+		}
 	}
 	// reset fingerprint to force update
 	cs.fingerprints[uuid] = ""