Only pick ASP.NET Core development certificates that are valid

sandbox/OpenIddict.Sandbox.AspNetCore.Server/Startup.cs

@@ -354,10 +354,12 @@ public class Startup
                     return errors is SslPolicyErrors.None or SslPolicyErrors.RemoteCertificateNotAvailable;
                 },
 
-                // Use the same TLS server certificate as the default server instance.
+                // Use the development certificate generated and stored by ASP.NET Core in the user store.
                 ServerCertificate = store.Certificates
                     .Find(X509FindType.FindByExtension, "1.3.6.1.4.1.311.84.1.1", validOnly: false)
                     .Cast<X509Certificate2>()
+                    .Where(static certificate => certificate.NotBefore < TimeProvider.System.GetLocalNow())
+                    .Where(static certificate => certificate.NotAfter > TimeProvider.System.GetLocalNow())
                     .OrderByDescending(static certificate => certificate.NotAfter)
                     .FirstOrDefault() ??
                     throw new InvalidOperationException("The ASP.NET Core HTTPS development certificate was not found.")