[NOREVIEW] Test support for certificates with ephemeral keys

[rzikm]

Related to #114640

[Copilot]

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (3)

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Windows.cs:303

• Confirm that combining both PKCS12_NAMED_NO_PERSIST_KEY and PKCS12_NO_PERSIST_KEY is intentional and that their combined effect does not lead to unintended behavior.

pfxCertStoreFlags |= Interop.Crypt32.PfxCertStoreFlags.PKCS12_NAMED_NO_PERSIST_KEY | Interop.Crypt32.PfxCertStoreFlags.PKCS12_NO_PERSIST_KEY | Interop.Crypt32.PfxCertStoreFlags.PKCS12_ALWAYS_CNG_KSP;

src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs:955

• Verify that the new test behavior—expecting successful authentication rather than an exception—fully covers the intended ephemeral key handling scenarios.

public async Task SslStream_EphemeralKey_DoesNotThrow()

src/libraries/Common/tests/System/Net/Configuration.Certificates.Dynamic.cs:165

• Re-assess the logic change that now re-imports certificates on Windows irrespective of the ephemeralKey flag, ensuring that both ephemeral and non-ephemeral scenarios are handled correctly.

if (PlatformDetection.IsWindows)

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[bartonjs]

I didn't get clarity from Windows on if it would be bad to do this "generally". It also doesn't solve the problem of loading the key from file and using CopyWithPrivateKey, still requires routing through PFX import/export (or doing something similar for the other path... but I haven't seen how this flag applies for non-PFX)