Generate test certificates at runtime#67325
Open
BrennanConroy wants to merge 2 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes reliance on checked-in, expiring certificate binaries in tests by introducing a shared runtime certificate generator and updating multiple test/samples to consume generated certificates (either in-memory or via on-demand PFX materialization through TestResources).
Changes:
- Added
TestCertificateFactoryto generate RSA/ECDSA/EKU/dev-cert/public-key-only certificates at runtime. - Updated SignalR, Kestrel, HttpSys, DataProtection, Autobahn, and Negotiate tests/apps to use generated certificates instead of checked-in
.pfxcontent. - Cleaned up removed certificate content globs and associated CredScan suppressions.
Show a summary per file
| File | Description |
|---|---|
| src/SignalR/common/Shared/TestCertificates.cs | Switch SignalR shared test cert loading from PFX files to runtime-generated RSA/ECDSA certs. |
| src/SignalR/clients/ts/FunctionalTests/SignalR.Client.FunctionalTestApp.csproj | Link in TestCertificateFactory and stop copying shared .pfx content. |
| src/SignalR/clients/csharp/Client/test/FunctionalTests/Microsoft.AspNetCore.SignalR.Client.FunctionalTests.csproj | Link in TestCertificateFactory and stop copying shared .pfx content. |
| src/Shared/TestResources.cs | Generate specific shared test PFX files on-demand when callers request known cert names. |
| src/Shared/TestCertificateFactory.cs | New shared certificate generation utilities used across tests/projects. |
| src/Servers/Kestrel/Transport.Quic/test/Microsoft.AspNetCore.Server.Kestrel.Transport.Quic.Tests.csproj | Link in TestCertificateFactory and remove .pfx content copy. |
| src/Servers/Kestrel/Transport.NamedPipes/test/Microsoft.AspNetCore.Server.Kestrel.Transport.NamedPipes.Tests.csproj | Link in TestCertificateFactory and remove .pfx content copy. |
| src/Servers/Kestrel/test/Sockets.FunctionalTests/Sockets.FunctionalTests.csproj | Link in TestCertificateFactory and remove .pfx content copy. |
| src/Servers/Kestrel/test/Sockets.BindTests/Sockets.BindTests.csproj | Link in TestCertificateFactory and remove .pfx content copy. |
| src/Servers/Kestrel/test/Interop.FunctionalTests/Interop.FunctionalTests.csproj | Link in TestCertificateFactory and remove .pfx content copy. |
| src/Servers/Kestrel/test/Interop.FunctionalTests/Http3/Http3TlsTests.cs | Use TestResources.GetCertPath(...) to ensure dev-cert PFX exists at runtime. |
| src/Servers/Kestrel/test/InMemory.FunctionalTests/InMemory.FunctionalTests.csproj | Link in TestCertificateFactory and remove .pfx content copy. |
| src/Servers/Kestrel/samples/HttpClientApp/HttpClientApp.csproj | Link in TestCertificateFactory and remove .pfx content copy for sample usage. |
| src/Servers/Kestrel/Kestrel/test/Microsoft.AspNetCore.Server.Kestrel.Tests.csproj | Link in TestCertificateFactory and remove .pfx content copy. |
| src/Servers/Kestrel/Kestrel/test/HttpsConfigurationTests.cs | Replace direct PFX file loads with TestResources helpers for runtime generation. |
| src/Servers/Kestrel/Core/test/Microsoft.AspNetCore.Server.Kestrel.Core.Tests.csproj | Link in TestCertificateFactory and remove .pfx content copy. |
| src/Servers/HttpSys/test/FunctionalTests/Microsoft.AspNetCore.Server.HttpSys.FunctionalTests.csproj | Link in TestCertificateFactory and remove .pfx content copy. |
| src/Security/Authentication/Negotiate/test/Negotiate.FunctionalTest/NegotiateHandlerFunctionalTests.cs | Generate the Negotiate HTTPS cert at runtime and use its path. |
| src/Security/Authentication/Negotiate/test/Negotiate.FunctionalTest/Microsoft.AspNetCore.Authentication.Negotiate.FunctionalTest.csproj | Link in TestCertificateFactory and stop copying the checked-in PFX. |
| src/Middleware/WebSockets/test/ConformanceTests/AutobahnTestApp/Program.cs | Ensure the Autobahn SSL cert exists by generating it at startup. |
| src/Middleware/WebSockets/test/ConformanceTests/AutobahnTestApp/AutobahnTestApp.csproj | Link in TestCertificateFactory and stop copying the checked-in PFX. |
| src/DefaultBuilder/test/Microsoft.AspNetCore.FunctionalTests/Microsoft.AspNetCore.FunctionalTests.csproj | Remove copying a checked-in test cert PFX (now unused). |
| src/DataProtection/Extensions/test/Microsoft.AspNetCore.DataProtection.Extensions.Tests.csproj | Link in TestCertificateFactory and stop copying removed TestFiles content. |
| src/DataProtection/Extensions/test/DataProtectionProviderTests.cs | Replace file-based certificate dependencies with runtime-generated certs. |
| src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/XmlEncryption/EncryptedXmlDecryptorTests.cs | Replace file-based certs with runtime-generated certs for encryption/decryption tests. |
| src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Microsoft.AspNetCore.DataProtection.Tests.csproj | Link in TestCertificateFactory and stop copying removed TestFiles content. |
| .config/CredScanSuppressions.json | Remove suppressions for deleted certificate binaries. |
Copilot's findings
- Files reviewed: 27/47 changed files
- Comments generated: 1
This was referenced Jun 19, 2026
Open
Replace checked-in test certificates with runtime-generated equivalents so test cert expiration is controlled by test code. Add shared certificate generation helpers, including server certificate helpers that avoid ephemeral private keys on Windows where SslStream cannot use them. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
BrennanConroy
force-pushed
the
brennanconroy/generate-test-certs
branch
from
3c1f7ca to
e2603ab
Compare
Avoid contending on the Windows PFX import mutex while generating shared test certificate files, and use a non-ephemeral import for certificates that are added to the Windows certificate store. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Some tests relied on checked-in PFX and CER files that can expire and break future test runs. This replaces those expiring binaries with runtime-generated certificates while preserving the certificate shapes that the tests exercise.
Summary
TestCertificateFactoryfor generating RSA, ECDSA, EKU-specific, ASP.NET Core dev-cert, and public-key-only test certificates.Validation
restore.cmdgit diff --check