diff --git a/lib/resty/acme/autossl.lua b/lib/resty/acme/autossl.lua
index 0b23555..348d224 100644
--- a/lib/resty/acme/autossl.lua
+++ b/lib/resty/acme/autossl.lua
@@ -58,6 +58,7 @@ local default_config = {
   challenge_start_delay = 0,
   -- if true, the request to nginx waits until the cert has been generated and it is used right away
   blocking = false,
+  enabled_delete_not_whitelisted_domain = false,
 }
 
 local domain_pkeys = {}
@@ -332,10 +333,24 @@ function AUTOSSL.check_renew(premature)
       goto continue
     end
 
+    local domain = deserialized.domain
+    if not AUTOSSL.is_domain_whitelisted(domain, true) then
+      if AUTOSSL.config.enabled_delete_not_whitelisted_domain then
+        local err = AUTOSSL.storage:delete(key)
+        if err then
+          log(ngx_ERR, "failed to delete certificate for ", domain, " error: ", err)
+        else
+          log(ngx_INFO, "successfully delete certificate for domain ", domain)
+        end
+      else
+        log(ngx_INFO, "domain ", domain, " not in whitelist but exists in storage, skipping renewal")
+      end
+      goto continue
+    end
+
     local cert = openssl.x509.new(deserialized.cert)
     local _, not_after = cert:get_lifetime()
     if not_after - now < AUTOSSL.config.renew_threshold then
-      local domain = deserialized.domain
       local err = AUTOSSL.update_cert({
         domain = domain,
         renew = true,