diff --git a/token/claimBuilder.go b/token/claimBuilder.go
index 1a0d4da..d872caf 100644
--- a/token/claimBuilder.go
+++ b/token/claimBuilder.go
@@ -230,7 +230,7 @@ func (cb *clientCertificateClaimBuilder) AddClaims(_ context.Context, r *Request
 		}
 
 		// special logic around expired certificates
-		expired := now.After(pc.NotAfter)
+		expired := now.Before(pc.NotBefore) || now.After(pc.NotAfter)
 		vo := x509.VerifyOptions{
 			// always set the current time so that we disambiguate expired
 			// from untrusted.