<PackageReference Include="Microsoft.Identity.Client" Version="4.84.2-preview4-GetManagedIdentityCapabilitiesAsync" />

Microsoft.Identity.Client.ManagedIdentity.V2.IPersistentCertificateCache

interface IPersistentCertificateCache
Persistence interface for IMDSv2 mTLS binding certificates. Implementations must be best-effort and non-throwing so that certificate persistence never blocks authentication.
void Delete(string alias, ILoggerAdapter logger)

Deletes expired certificate entries for the alias (best-effort), leaving the latest valid binding for the alias in place (if any). Write calls DeleteAllForAlias, so this method is only expected to be called by implementations of Write.

void DeleteAllForAlias(string alias, ILoggerAdapter logger)

Deletes ALL certificate entries for the alias (best-effort), including non-expired ones. Intended for "reset/evict" scenarios (e.g., SCHANNEL rejects the cached cert) to force a re-mint. When a machine restarts the key becomes inaccessible and the cached certs should be cleared to allow a new cert to be minted.

bool Read(string alias, out CertificateCacheValue value, ILoggerAdapter logger)

Reads the newest valid (≥24h remaining, has private key) entry for the alias. Returns true on cache hit, false otherwise.

void Write(string alias, X509Certificate2 cert, string endpointBase, ILoggerAdapter logger)

Persists the certificate for the alias (best-effort). Implementations should log failures but must not throw; callers do not depend on persistence succeeding and fall back to in-memory cache only.