Replace test certificate chain that uses RSA+SHA-1

[vcsjones]

The certificate chain we were using in unit tests has a root certificate that is signed with RSA SHA-1. This signature algorithm is disabled on some linux distributions, and it is starting to get picked up in our CI.

Let's replace the chain with one that does not use RSA+SHA-1 signatures.

On CentOS Stream 10:

Contributes to #120527

[Copilot]

Pull Request Overview

This pull request updates the Microsoft.com SSL certificate test data and associated test cases to use a newer certificate version. The changes reflect an update from the Baltimore CyberTrust Root certificate chain to the DigiCert Global Root G2 certificate chain, with an updated certificate valid from October 2025 to March 2026.

• Updates the Microsoft.com SSL certificate and its issuer/root certificate chain data
• Adjusts verification times in tests to fall within the new certificate's validity period
• Updates hostname test cases to reflect the Subject Alternative Names (SANs) in the new certificate
• Simplifies platform-specific conditional logic for chain building tests

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
MatchesHostnameTests.cs	Updates hostname test cases to match SANs in the new certificate, including new domains like copilot.ai and yarp.dot.net
AuthorityKeyIdentifierTests.cs	Updates expected hex values for authority key identifiers to match the new DigiCert-based certificate chain
CollectionTests.cs	Updates verification time to December 2025 to fall within new certificate validity period
ChainTests.cs	Updates verification times, simplifies platform conditionals, improves expiration test structure with collection expressions, and adds better failure diagnostics
TestData.cs	Replaces entire certificate chain data (leaf, issuer, and root certificates) from Baltimore CyberTrust to DigiCert Global Root G2

Dismissing because it was approved before some test failures were known and need to re-evaluate the solution.

[bartonjs]

I'm guessing that what's really going on here is that I made a synecdoche mistake about how Windows handles NotValidForUsage. Looking up the root in question, I see that it's actually in my root trust store twice:

One of which is valid for all purposes, the other is only valid for certain. The previous test probably only involved a certificate that had no EKU, but did have Windows override limited purposes... so we saw "no" look like it propagated up. The new one is hitting ambiguity, which is either working because it always tries to succeed when it can, or it's random depending on something I don't understand.

[vcsjones]

I see that it's actually in my root trust store twice

Ah good point on the multiple roots.

Some options on how to proceed.

1. Leave as-is and create an issue for it to look in to.
2. Find a different chain that is more predictable and change to that. And create an issue.
3. Something more clever.

[bartonjs]

I'm good with (1). This is good enough to backport, and doesn't require renaming things 😄

[bartonjs]

If we want any change here, it'd be to say "fine, on Windows, it can either be NoError on top, or NotValidForUsage", just to show a) we know there's currently variance, but b) it's not across a huge spectrum.

[vcsjones]

/ba-g android timeouts are known.

[vcsjones]

/backport to release/10.0

[github-actions]

Started backporting to release/10.0 (link to workflow run)

[github-actions]

@vcsjones backporting to release/10.0 failed, the patch most likely resulted in conflicts. Please backport manually!

git am output

$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Applying: Replace test certificate chain with one that does not have an RSA+SHA-1 root
Applying: Fix tests for Linux and make failures more clear
Applying: Fix the one second offset thing
Applying: Remove allowance for SHA-1 in test since it does not use SHA-1 anymore
Applying: Fix more verification times
error: sha1 information is lacking or useless (src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs).
error: could not build fake ancestor
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0005 Fix more verification times
Error: The process '/usr/bin/git' failed with exit code 128

Link to workflow output