After a VM or app restart, KeyGuard regenerates the per-boot private key in
the same CNG container while the old cert remains on disk. The cert appears
valid (time-wise, HasPrivateKey=true) but the key material has changed.

Fix: compare the cert's embedded public key modulus against the public key
currently exported from the CNG container. A mismatch conclusively means the
container was regenerated and the cert is orphaned. The check runs inside
WindowsPersistentCertificateCache.Read during candidate selection, so the
loop continues looking for a valid cert rather than returning an unusable one.

Non-CNG keys (software CSP) are accepted on faith since KeyGuard-style
regeneration does not apply to them. CryptographicException during key load
is treated as orphaned (key inaccessible = unusable).

The CNG container modified-time heuristic (Check 3 from the original proposal)
is intentionally omitted. Both it and the modulus comparison detect the same
event, but the modulus check is definitive: independently generated RSA keys
sharing a modulus is computationally infeasible. The modified-time check is a
heuristic with a known false-negative window and adds no additional coverage.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

RSA.Create(2048) does not return RSACng on ARM64 Windows (.NET 8).
Use new RSACng(2048) explicitly so the cast is always valid.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

When IsCertKeyOrphaned detects a cert whose CNG container key no longer
matches the cert's public key (post-reboot KeyGuard regeneration), the
cert is now removed from the Windows cert store instead of just skipped.

Previously the orphaned cert stayed in the store indefinitely, causing
a redundant modulus check on every Read call.

Changes:
- WindowsPersistentCertificateCache.Read: collect orphaned cert thumbprints
  during the scan loop; after the loop, open ReadWrite store and remove them
  (best-effort, wrapped in try/catch)
- Added internal Read overload accepting Func<X509Certificate2, ILoggerAdapter, bool>
  isOrphaned delegate for testability; IPersistentCertificateCache interface unchanged
- Added unit test: Read_RemovesOrphanedCert_FromStore

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…ock orphan removal

- Rename internal Read overload to public TryRead with out param last
  (public Read delegates to TryRead with the default IsCertKeyOrphaned check)
- Extract SnapshotCertificates(store, logger) helper to eliminate 5 duplicate
  try/catch CopyTo fallback blocks across Read, Write, DeleteAllForAlias,
  PruneExpiredForAlias, and RemoveByThumbprints
- Wrap RemoveByThumbprints in InterprocessLock.TryWithAliasLock (300ms,
  best-effort) — same pattern as Write/Delete/DeleteAllForAlias to prevent
  concurrent store writes during orphan cleanup
- Update orphan removal test to call TryRead with the new signature

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…TLS certs on reboot

Fixes the post-reboot recovery path for IMDSv2 mTLS PoP token acquisition.
On Azure VM restart the per-boot KeyGuard key (NCryptUsePerBootKeyFlag) is
reaped by VBS, but the persisted binding cert under
CN=managedidentitysnissuer.login.microsoft.com still references the old
public key. The next call then either burns a failed TLS handshake before
the reactive SChannel catch kicks in, or — in the zombie-handle variant —
falls through entirely because the cert's modulus still matches the dead
container.

Changes
-------
- Add CanSign liveness probe right after CngKey.Open in
  WindowsCngKeyOperations.TryGetOrCreateKeyGuard. 1-byte RSA-SHA256 PKCS1
  sign; ~1-3ms, runs once per process (result is cached in
  WindowsManagedIdentityKeyProvider._cachedKey). Catches zombie-VBS state
  where Open succeeds but private material is dead.

- Add PurgeManagedIdentityCertificates: one-shot issuer-CN substring sweep
  of CurrentUser\My, invoked at the moment a fresh KeyGuard key is minted
  (both the probe-failed path and the Open-threw path). Removes orphaned
  binding certs at the cause site so the next request doesn't pay any
  per-Read discovery cost and multi-identity hosts (SAMI + UAMIs sharing
  the KeyGuard container) are cleaned up uniformly.

- Add 4 Windows-only unit tests for the purge filter behavior (matching,
  non-matching, case-insensitive, only-removes-matching).

The reactive SChannel catch in ImdsV2ManagedIdentitySource is retained as
a defensive backstop.

Validation
----------
Validated E2E on a Server 2022 KeyGuard VM across multiple reboots and
mixed SAMI/UAMI cases. Canonical post-reboot first call:
  - CngKey.Open threw CryptographicException HR=0x8009003A
  - Fresh KeyGuard key created
  - PurgeManagedIdentityCertificates removed orphan cert (Inspected=4)
  - MAA attestation OK
  - POST /issuecredential -> 200
  - mTLS handshake -> 200 on first try (no reactive catch invoked)
  - Total ~2.8s on cold start

Full unit suite green on net8.0: 2069 passed, 0 failed, 19 skipped.

Refs #6031.
Complementary to #6020 (cert-side modulus comparison): this PR adds the
key-side liveness probe and broad issuer-CN sweep at the mint site.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- RemoveByThumbprints: use HashSet<string>(OrdinalIgnoreCase) for thumbprint lookup (defensive; .NET's Thumbprint getter always returns uppercase, but normalize anyway).
- PurgeManagedIdentityCertificates: skip null entries in the snapshot consuming loop (defensive against TOCTOU between Certificates.Count and enumeration).
- WindowsPersistentCertificateCache.TryRead (testability overload): throw ArgumentNullException when the injected isOrphaned delegate is null.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>