fix(gateway): harden self-signed cert persistence and config validation

src/ZB.MOM.WW.MxGateway.Tests/Security/Tls/KestrelTlsInspectorTests.cs

@@ -51,6 +51,13 @@ public sealed class KestrelTlsInspectorTests
         => Assert.True(KestrelTlsInspector.RequiresGeneratedCertificate(
             Config(("Kestrel:Endpoints:Https:Url", "HTTPS://0.0.0.0:5120"))));
 
+    [Fact]
+    public void RequiresGeneratedCertificate_False_WhenKestrelDefaultCertificateConfigured()
+        => Assert.False(KestrelTlsInspector.RequiresGeneratedCertificate(
+            Config(
+                ("Kestrel:Endpoints:Https:Url", "https://0.0.0.0:5120"),
+                ("Kestrel:Certificates:Default:Path", @"C:\certs\default.pfx"))));
+
     [Fact]
     public void RequiresGeneratedCertificate_True_WhenMixedEndpointsAndOneHttpsHasNoCert()
         => Assert.True(KestrelTlsInspector.RequiresGeneratedCertificate(

src/ZB.MOM.WW.MxGateway.Tests/Security/Tls/SelfSignedCertificateProviderTests.cs

@@ -108,8 +108,18 @@ public sealed class SelfSignedCertificateProviderTests
         finally { Directory.Delete(dir, recursive: true); }
     }
 
+    [Fact]
+    public void LoadOrCreate_Throws_WhenSelfSignedCertPathBlank()
+    {
+        TlsOptions options = new() { SelfSignedCertPath = "  " };
+        Assert.Throws<InvalidOperationException>(
+            () => CreateProvider(options, new FakeTimeProvider()).LoadOrCreate());
+    }
+
+    private const string SubjectAltNameOid = "2.5.29.17";
+
     private static string ReadSubjectAltNames(X509Certificate2 cert)
         => cert.Extensions
-            .First(e => e.Oid?.Value == "2.5.29.17")
+            .First(e => e.Oid?.Value == SubjectAltNameOid)
             .Format(false);
 }