There was an issue, which was an aftermath of #issue #1228. After the failed migration to the repository Andrzej continued to use certificates stored in the filesystem but there were already certificates migrated to the repository. And after a couple of months, when he decided to actually switch from the filesystem to the repository the old, stale certificates from the repository conflicted with filesystem ones and overrode them.

Nevertheless I reviewed the code and:

1. currently only self-signed certificate are regenerated if expired ( see tigase.io.SSLContextContainer#validateDomainCertificate )
2. expired "proper" certificates are kept and announced as-is

I also made a couple of changes:

1. Removed option to generate wildcard certificate from CertificateContainer (it was causing generating certificates with wildcard domain in CN) and instead I corrected certificate generator to put wildcard domain properly as SAN (SubjectAltName) in addition to domain in DN (it wasn't possible to do it in OldCertificateGenerator due to sun Java API limitation / bug that was fixed in JDK15... which doesn't allow running OldCertificateGenerator because of modules and limiting access to internal APIs; on the other hand, I updated keytool based implementation to add the SAN - it wasn't working with JDK11 but given that keytool based implementation is intended for JDK17 and newer there is no problem... and yes, it was fixed by the same bug that affected OldCertificateGenerator)
2. I removed code that stripped wildcard (*.) from alias before storing the certificate (to repository, filesystem), which was intended to make it more compatible (and allow overriding via ad-hocs for domains!) but in the end it could cause issues when re-loading such certificate / make it impossible to properly migrate those certificates from file system.