diff --git a/certmagic.go b/certmagic.go
index 6bc33d58..860f5e76 100644
--- a/certmagic.go
+++ b/certmagic.go
@@ -268,7 +268,7 @@ type OnDemandConfig struct {
 	// whether a certificate can be obtained or renewed
 	// for the given name. If an error is returned, the
 	// request will be denied.
-	DecisionFunc func(name string) error
+	DecisionFunc func(ctx context.Context, name string) error
 
 	// Sources for getting new, unmanaged certificates.
 	// They will be invoked only during TLS handshakes
diff --git a/handshake.go b/handshake.go
index 1e9928ba..a91d3ebb 100644
--- a/handshake.go
+++ b/handshake.go
@@ -313,7 +313,7 @@ func (cfg *Config) getCertDuringHandshake(ctx context.Context, hello *tls.Client
 	// Make sure a certificate is allowed for the given name. If not, it doesn't
 	// make sense to try loading one from storage (issue #185), getting it from a
 	// certificate manager, or obtaining one from an issuer.
-	if err := cfg.checkIfCertShouldBeObtained(name, false); err != nil {
+	if err := cfg.checkIfCertShouldBeObtained(ctx, name, false); err != nil {
 		return Certificate{}, fmt.Errorf("certificate is not allowed for server name %s: %v", name, err)
 	}
 
@@ -438,7 +438,7 @@ func (cfg *Config) optionalMaintenance(ctx context.Context, log *zap.Logger, cer
 // checkIfCertShouldBeObtained checks to see if an on-demand TLS certificate
 // should be obtained for a given domain based upon the config settings. If
 // a non-nil error is returned, do not issue a new certificate for name.
-func (cfg *Config) checkIfCertShouldBeObtained(name string, requireOnDemand bool) error {
+func (cfg *Config) checkIfCertShouldBeObtained(ctx context.Context, name string, requireOnDemand bool) error {
 	if requireOnDemand && cfg.OnDemand == nil {
 		return fmt.Errorf("not configured for on-demand certificate issuance")
 	}
@@ -447,7 +447,7 @@ func (cfg *Config) checkIfCertShouldBeObtained(name string, requireOnDemand bool
 	}
 	if cfg.OnDemand != nil {
 		if cfg.OnDemand.DecisionFunc != nil {
-			if err := cfg.OnDemand.DecisionFunc(name); err != nil {
+			if err := cfg.OnDemand.DecisionFunc(ctx, name); err != nil {
 				return fmt.Errorf("decision func: %w", err)
 			}
 			return nil
@@ -685,7 +685,7 @@ func (cfg *Config) renewDynamicCertificate(ctx context.Context, hello *tls.Clien
 		defer cancel()
 
 		// Make sure a certificate for this name should be renewed on-demand
-		err := cfg.checkIfCertShouldBeObtained(name, true)
+		err := cfg.checkIfCertShouldBeObtained(ctx, name, true)
 		if err != nil {
 			// if not, remove from cache (it will be deleted from storage later)
 			cfg.certCache.mu.Lock()