Skip to content

Separate self-signed CA and TLS certificate#15515

Draft
heaths wants to merge 2 commits intoAzure:mainfrom
heaths:two-certs
Draft

Separate self-signed CA and TLS certificate#15515
heaths wants to merge 2 commits intoAzure:mainfrom
heaths:two-certs

Conversation

@heaths
Copy link
Copy Markdown
Member

@heaths heaths commented May 6, 2026

Rust's default HTTP stack - reqwest - does not support a self-signed TLS certificate.
Instead, we split the CA out while retaining the old dotnet-devcert.crt public key PEM.
dotnet-devcert.pfx is still the key pair for the server TLS certificate, but is signed by the separate CA.

This should require no code changes to other languages' test-proxy implementations.

Relates to Azure/azure-sdk-for-rust#4345

@heaths
Separate self-signed CA and TLS certificate
970a62e 
Rust's default HTTP stack - reqwest - does not support a self-signed TLS certificate.
Instead, we split the CA out while retaining the old dotnet-devcert.crt public key PEM.
dotnet-devcert.pfx is still the key pair for the server TLS certificate, but is signed by the separate CA.

This should require no code changes to other languages' test-proxy implementations.

Relates to Azure/azure-sdk-for-rust#4345
Copilot AI review requested due to automatic review settings May 6, 2026 05:16
@heaths heaths requested a review from a team as a code owner May 6, 2026 05:16
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the test-proxy dev certificate assets to separate the self-signed CA certificate from the localhost TLS (leaf) certificate, enabling stacks (e.g., Rust/reqwest) that require a CA root to trust the proxy’s TLS certificate.

Changes:

  • Add a rotate.sh script to generate a self-signed CA and a CA-signed localhost leaf cert, and bundle them into dotnet-devcert.pfx.
  • Update dotnet-devcert.crt to represent the CA certificate, and add a separate localhost.crt leaf certificate.
  • Add OpenSSL config files for CA and leaf generation, plus local gitignore rules for generated private materials.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
eng/common/testproxy/rotate.sh New rotation script to generate CA + leaf cert and export to PFX.
eng/common/testproxy/localhost.crt Adds the committed localhost leaf certificate PEM.
eng/common/testproxy/localhost.conf OpenSSL config for the localhost leaf certificate extensions/SAN.
eng/common/testproxy/dotnet-devcert.crt Replaces the committed cert with a CA cert PEM.
eng/common/testproxy/ca.crt Adds an additional CA certificate PEM (currently appears unused).
eng/common/testproxy/ca.conf OpenSSL config for generating the self-signed CA certificate.
eng/common/testproxy/.gitignore Ignores generated CSR/key/serial files in this folder.

Comment thread eng/common/testproxy/rotate.sh Outdated
Comment thread eng/common/testproxy/localhost.conf
Comment thread eng/common/testproxy/ca.crt Outdated
@azure-sdk
Copy link
Copy Markdown
Collaborator

azure-sdk commented May 6, 2026

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

@azure-sdk
Copy link
Copy Markdown
Collaborator

azure-sdk commented May 6, 2026

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

This was referenced May 6, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@heaths
Copy link
Copy Markdown
Member Author

heaths commented May 6, 2026

I was able to find a different source of the underlying issue for Azure/azure-sdk-for-rust#4344 so this is no longer a priority but I want to continue this work. I'm going to close out the sync PRs while I figure out why .NET failed and make sure the other languages don't. @scbedd and I suspect it's because the dotnet-devcert.pfx was more often used by clients to trust the cert rather than dotnet-devcert.crt (which was just the public key from the PFX before), but I also found https://github.com/Azure/azure-sdk-for-net/blob/ae0f347fc42f7786c0541dcd313c055c8dc95062/sdk/core/Microsoft.ClientModel.TestFramework/src/RecordedTests/TestProxy/ProxyTransport.cs#L52 that might explain the exception during playback tests for .NET.

@heaths heaths marked this pull request as draft May 6, 2026 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@scbedd scbedd scbedd approved these changes

@LarryOsterman LarryOsterman Awaiting requested review from LarryOsterman

@RickWinter RickWinter Awaiting requested review from RickWinter

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@heaths @azure-sdk @scbedd