From 29e9d2992ec9dbd37f65ab8d75808ca38e95558c Mon Sep 17 00:00:00 2001
From: Tamer Wahba <tamwahba@hotmail.com>
Date: Sat, 2 May 2026 17:04:34 -0400
Subject: [PATCH] update http certificate validator to match server startup
 behavior

---
 .../Config/CertificateValidator.cs            | 20 ++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/Radarr.Api.V3/Config/CertificateValidator.cs b/src/Radarr.Api.V3/Config/CertificateValidator.cs
index 4f1878d8ee..9161deb77c 100644
--- a/src/Radarr.Api.V3/Config/CertificateValidator.cs
+++ b/src/Radarr.Api.V3/Config/CertificateValidator.cs
@@ -3,6 +3,7 @@
 using FluentValidation;
 using FluentValidation.Validators;
 using NLog;
+using NzbDrone.Common.Extensions;
 using NzbDrone.Common.Instrumentation;
 
 namespace Radarr.Api.V3.Config
@@ -33,11 +34,11 @@ protected override bool IsValid(PropertyValidatorContext context)
                 return true;
             }
 
+            var certificateCollection = new X509Certificate2Collection();
+
             try
             {
-                new X509Certificate2(resource.SslCertPath, resource.SslCertPassword, X509KeyStorageFlags.DefaultKeySet);
-
-                return true;
+                certificateCollection.Import(resource.SslCertPath, resource.SslCertPassword, X509KeyStorageFlags.DefaultKeySet);
             }
             catch (CryptographicException ex)
             {
@@ -47,6 +48,19 @@ protected override bool IsValid(PropertyValidatorContext context)
 
                 return false;
             }
+
+            if (certificateCollection.None(c => c.HasPrivateKey))
+            {
+                var message = $"The SSL certificate file {resource.SslCertPath} does not contain a certificate with an associated private key";
+
+                Logger.Debug($"{message}");
+
+                context.MessageFormatter.AppendArgument("message", message);
+
+                return false;
+            }
+
+            return true;
         }
     }
 }