diff --git a/src/IdentityServer/src/Configuration/DependencyInjection/Options/KeyManagementOptions.cs b/src/IdentityServer/src/Configuration/DependencyInjection/Options/KeyManagementOptions.cs
index 88126c08a..f0df8b2a6 100644
--- a/src/IdentityServer/src/Configuration/DependencyInjection/Options/KeyManagementOptions.cs
+++ b/src/IdentityServer/src/Configuration/DependencyInjection/Options/KeyManagementOptions.cs
@@ -132,8 +132,10 @@ internal void Validate()
             if (RotationInterval <= TimeSpan.Zero) throw new Exception(nameof(RotationInterval) + " must be greater than zero.");
             if (RetentionDuration <= TimeSpan.Zero) throw new Exception(nameof(RetentionDuration) + " must be greater than zero.");
 
-            if (KeyCacheDuration >= PropagationTime)
+            if (KeyCacheDuration > PropagationTime / 2)
             {
+                // we should not cache too long, because we need a server to have latest data
+                // to allow clients/apis time to update their caches.
                 // todo: error, or just calculate it?
                 KeyCacheDuration = PropagationTime / 2;
             }