Rig.TUnit.Security.Mtls 0.1.0-beta.2

.NET 10.0 This package targets .NET 10.0. The package is compatible with this framework or higher.
This is a prerelease version of Rig.TUnit.Security.Mtls. 
dotnet add package Rig.TUnit.Security.Mtls --version 0.1.0-beta.2
                    


                    

                
NuGet\Install-Package Rig.TUnit.Security.Mtls -Version 0.1.0-beta.2
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Rig.TUnit.Security.Mtls" Version="0.1.0-beta.2" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Rig.TUnit.Security.Mtls" Version="0.1.0-beta.2" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Rig.TUnit.Security.Mtls" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Rig.TUnit.Security.Mtls --version 0.1.0-beta.2
                    


                    

                
#r "nuget: Rig.TUnit.Security.Mtls, 0.1.0-beta.2"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package Rig.TUnit.Security.Mtls@0.1.0-beta.2
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=Rig.TUnit.Security.Mtls&version=0.1.0-beta.2&prerelease
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=Rig.TUnit.Security.Mtls&version=0.1.0-beta.2&prerelease
                    


                            Install as a Cake Tool

Rig.TUnit.Security.Mtls

Mutual-TLS fixture — ephemeral self-signed CA + matched client/server leaf certs for Kestrel mTLS tests. No production bypass.

What this package is

An mTLS integration-test fixture. MtlsFixture generates a self-signed CA plus matched client + server leaf certificates in-memory at fixture startup; the keys live only for the fixture lifetime and dispose deterministically. The generated chain validates via the real X.509 stack — suitable for Kestrel mTLS endpoints and HttpClient peer authentication. No ServerCertificateCustomValidationCallback bypass.

When to use it

  • Integration tests for Kestrel endpoints configured with RequireClientCertificate = true.
  • Verifying CertificateAuthentication middleware accepts / rejects chains correctly.
  • Regression-testing certificate-rotation code paths.
  • Not for: unit tests — mTLS requires real TCP + TLS negotiation.

Prerequisites

  • .NET 10 SDK
  • Kestrel server under test configured for mTLS
  • OpenSSL / .NET cert stack available (both are built-in on .NET 10).

Quick start

using Rig.TUnit.Security.Mtls.Fixtures;

await using var fx = new MtlsFixture();
await fx.InitializeAsync();

MtlsAssert.BothSidesAuthenticated(fx.ClientCertificate, fx.ServerCertificate);

Options

Property Type Default Description
CaSubject string "CN=rigtunit-test-ca" CA subject DN
ClientSubject string "CN=rigtunit-client" Client leaf DN
ServerSubject string "CN=rigtunit-server" Server leaf DN
ValidityDays int 365 CA + leaf validity window

Fixture + helper APIs

  • Rig.TUnit.Security.Mtls.Fixtures.MtlsFixture
  • Rig.TUnit.Security.Mtls.Options.MtlsFixtureOptions
  • Rig.TUnit.Security.Mtls.Builder.MtlsRigBuilder
  • Rig.TUnit.Security.Mtls.Assertions.MtlsAssert

Per-test isolation

Each MtlsFixture owns its own CA + leaf certs. Subjects include IsolationKey when the test uses the default wiring, so parallel tests produce distinct chains.

Parallelism + performance

  • Certificate generation: ~15–25 ms per fixture (CA + 2 leaves + RSA 2048 keys).
  • Memory-only — no disk writes, no registry.
  • Parallelism: safe; each fixture is independent.

Troubleshooting

  • AuthenticationException on handshake — client cert not trusted. Ensure the Kestrel config's ClientCertificateMode = RequireCertificate AND the server trusts the fixture's CA (add via fx.Ca).
  • Cert expired immediatelyValidityDays was set ≤ 0; default is 365, don't set it to 0.

See docs/troubleshooting.md#mtls.

Provider quirks + edge cases

  • Keys are in-memory X509Certificate2 with exportable private key; do not persist them (the fixture deliberately scopes keys to the fixture lifetime).
  • BothSidesAuthenticated verifies both leaves chain to the fixture's CA; missing intermediates fail this check.
  • The generated chain does NOT populate CRL/OCSP; revocation checks must be turned off for these chains.

Benchmarks

See MtlsBenchmarks.cs; baseline in benchmarks/baseline-005.json. Certificate generation is the dominant cost and tracked closely.

License

MIT. See LICENSE.

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (1)

Showing the top 1 NuGet packages that depend on Rig.TUnit.Security.Mtls:

Package Downloads
Rig.TUnit.All

Meta-package containing every Rig.TUnit.* package. DISCOURAGED — prefer per-feature or per-stack meta-packages (Rig.TUnit, Rig.TUnit.Microservices).

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
0.1.0-beta.2 42 4/27/2026
0.0.0-alpha.0.14 43 4/26/2026