Separate self-signed CA and TLS certificate

[heaths]

Rust's default HTTP stack - reqwest - does not support a self-signed TLS certificate.
Instead, we split the CA out while retaining the old dotnet-devcert.crt public key PEM.
dotnet-devcert.pfx is still the key pair for the server TLS certificate, but is signed by the separate CA.

This should require no code changes to other languages' test-proxy implementations.

Relates to Azure/azure-sdk-for-rust#4345

[Copilot]

Pull request overview

This PR updates the test-proxy dev certificate assets to separate the self-signed CA certificate from the localhost TLS (leaf) certificate, enabling stacks (e.g., Rust/reqwest) that require a CA root to trust the proxy’s TLS certificate.

Changes:

• Add a rotate.sh script to generate a self-signed CA and a CA-signed localhost leaf cert, and bundle them into dotnet-devcert.pfx.
• Update dotnet-devcert.crt to represent the CA certificate, and add a separate localhost.crt leaf certificate.
• Add OpenSSL config files for CA and leaf generation, plus local gitignore rules for generated private materials.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
eng/common/testproxy/rotate.sh	New rotation script to generate CA + leaf cert and export to PFX.
eng/common/testproxy/localhost.crt	Adds the committed localhost leaf certificate PEM.
eng/common/testproxy/localhost.conf	OpenSSL config for the localhost leaf certificate extensions/SAN.
eng/common/testproxy/dotnet-devcert.crt	Replaces the committed cert with a CA cert PEM.
eng/common/testproxy/ca.crt	Adds an additional CA certificate PEM (currently appears unused).
eng/common/testproxy/ca.conf	OpenSSL config for generating the self-signed CA certificate.
eng/common/testproxy/.gitignore	Ignores generated CSR/key/serial files in this folder.

[azure-sdk]

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

[azure-sdk]

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

[heaths]

I was able to find a different source of the underlying issue for Azure/azure-sdk-for-rust#4344 so this is no longer a priority but I want to continue this work. I'm going to close out the sync PRs while I figure out why .NET failed and make sure the other languages don't. @scbedd and I suspect it's because the dotnet-devcert.pfx was more often used by clients to trust the cert rather than dotnet-devcert.crt (which was just the public key from the PFX before), but I also found https://github.com/Azure/azure-sdk-for-net/blob/ae0f347fc42f7786c0541dcd313c055c8dc95062/sdk/core/Microsoft.ClientModel.TestFramework/src/RecordedTests/TestProxy/ProxyTransport.cs#L52 that might explain the exception during playback tests for .NET.