diff --git a/authority/tls.go b/authority/tls.go
index 32b85e11..29053ddf 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -348,9 +348,12 @@ func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x5
 		newCert.ExtraExtensions = append(newCert.ExtraExtensions, ext)
 	}
 
-	// Check if the certificate is allowed to be renewed, policies or
-	// constraints might change over time.
-	if err := a.isAllowedToSignX509Certificate(newCert); err != nil {
+	// Check if the certificate is allowed to be renewed, name constraints might
+	// change over time.
+	//
+	// TODO(hslatman,maraino): consider adding policies too and consider if
+	// RenewSSH should check policies.
+	if err := a.constraintsEngine.ValidateCertificate(newCert); err != nil {
 		var ee *errs.Error
 		if errors.As(err, &ee) {
 			return nil, errs.ApplyOptions(ee, opts...)