AzureAD
diff --git a/‎src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentityClient.cs‎
Lines changed: 8 additions & 4 deletions b/‎src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentityClient.cs‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎src/client/Microsoft.Identity.Client/ManagedIdentity/V2/CertificateCacheEntry.cs‎
Lines changed: 79 additions & 0 deletions b/‎src/client/Microsoft.Identity.Client/ManagedIdentity/V2/CertificateCacheEntry.cs‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎src/client/Microsoft.Identity.Client/ManagedIdentity/V2/CertificateCacheValue.cs‎
Lines changed: 34 additions & 0 deletions b/‎src/client/Microsoft.Identity.Client/ManagedIdentity/V2/CertificateCacheValue.cs‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎src/client/Microsoft.Identity.Client/ManagedIdentity/V2/ICertificateCache.cs‎
Lines changed: 39 additions & 0 deletions b/‎src/client/Microsoft.Identity.Client/ManagedIdentity/V2/ICertificateCache.cs‎
Lines changed: 39 additions & 0 deletions
@@ -2,15 +2,16 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Collections.Concurrent;
 using System.IO;
-using System.Threading.Tasks;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading;
-using Microsoft.Identity.Client.Internal;
+using System.Threading.Tasks;
 using Microsoft.Identity.Client.ApiConfig.Parameters;
-using Microsoft.Identity.Client.PlatformsCommon.Shared;
 using Microsoft.Identity.Client.Core;
+using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.ManagedIdentity.V2;
-using System.Security.Cryptography.X509Certificates;
+using Microsoft.Identity.Client.PlatformsCommon.Shared;
 
 namespace Microsoft.Identity.Client.ManagedIdentity
 {
@@ -30,6 +31,9 @@ internal class ManagedIdentityClient
         internal static void ResetSourceForTest()
         {
             s_sourceName = ManagedIdentitySource.None;
+
+            // Clear cert caches so each test starts fresh
+            ImdsV2ManagedIdentitySource.ResetCertCacheForTest();
         }
 
         internal async Task<ManagedIdentityResponse> SendTokenRequestForManagedIdentityAsync(
 
@@ -0,0 +1,79 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading;
+
+namespace Microsoft.Identity.Client.ManagedIdentity.V2
+{
+    /// <summary>
+    /// In-memory entry owned by the cache. Disposing the entry disposes the certificate it owns.
+    /// </summary>
+    internal sealed class CertificateCacheEntry : IDisposable
+    {
+        private int _disposed;
+
+        /// <summary>
+        /// Represents the minimum remaining lifetime for an operation or resource.
+        /// </summary>
+        public static readonly TimeSpan MinRemainingLifetime = TimeSpan.FromHours(24);
+
+        /// <summary>
+        /// certificate+endpoint+clientId cache entry.
+        /// </summary>
+        /// <param name="certificate"></param>
+        /// <param name="notAfterUtc"></param>
+        /// <param name="endpoint"></param>
+        /// <param name="clientId"></param>
+        /// <exception cref="ArgumentNullException"></exception>
+        public CertificateCacheEntry(X509Certificate2 certificate, DateTimeOffset notAfterUtc, string endpoint, string clientId)
+        {
+            Certificate = certificate ?? throw new ArgumentNullException(nameof(certificate));
+            NotAfterUtc = notAfterUtc;
+            Endpoint = endpoint ?? throw new ArgumentNullException(nameof(endpoint));
+            ClientId = clientId ?? throw new ArgumentNullException(nameof(clientId));
+        }
+
+        /// <summary>
+        /// certificate owned by this entry.
+        /// </summary>
+        public X509Certificate2 Certificate { get; }
+        /// <summary>
+        /// notAfterUtc of the certificate.
+        /// </summary>
+        public DateTimeOffset NotAfterUtc { get; }
+        /// <summary>
+        /// endpoint associated with this certificate.
+        /// </summary>
+        public string Endpoint { get; }
+        /// <summary>
+        /// clientId associated with this certificate.
+        /// </summary>
+        public string ClientId { get; }
+
+        /// <summary>Whether this entry has been disposed.</summary>
+        public bool IsDisposed => Volatile.Read(ref _disposed) != 0;
+
+        /// <summary>
+        /// is expired at the specified time.
+        /// </summary>
+        /// <param name="nowUtc"></param>
+        /// <returns></returns>
+        public bool IsExpiredUtc(DateTimeOffset nowUtc) => nowUtc >= (NotAfterUtc - MinRemainingLifetime);
+
+        /// <summary>
+        /// dispose the entry and its certificate.
+        /// </summary>
+        public void Dispose()
+        {
+            if (Interlocked.Exchange(ref _disposed, 1) != 0)
+            {
+                return; // already disposed
+            }
+
+            // Idempotent due to the atomic guard
+            Certificate.Dispose();
+        }
+    }
+}
@@ -0,0 +1,34 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.Identity.Client.ManagedIdentity.V2
+{
+    /// <summary>
+    /// Immutable snapshot of a cached certificate and its associated metadata.
+    /// </summary>
+    internal readonly struct CertificateCacheValue
+    {
+        public CertificateCacheValue(X509Certificate2 certificate, string endpoint, string clientId)
+        {
+            if (certificate == null) throw new ArgumentNullException(nameof(certificate));
+            if (endpoint == null) throw new ArgumentNullException(nameof(endpoint));
+            if (clientId == null) throw new ArgumentNullException(nameof(clientId));
+
+            Certificate = certificate;
+            Endpoint = endpoint;
+            ClientId = clientId;
+        }
+
+        /// <summary>The certificate (clone owned by the caller).</summary>
+        public X509Certificate2 Certificate { get; }
+
+        /// <summary>The base endpoint to use with this certificate.</summary>
+        public string Endpoint { get; }
+
+        /// <summary>The canonical client id to be posted to the mTLS token endpoint.</summary>
+        public string ClientId { get; }
+    }
+}
@@ -0,0 +1,39 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Identity.Client.Core;
+
+namespace Microsoft.Identity.Client.ManagedIdentity.V2
+{
+    /// <summary>
+    /// Process-local cache for an mTLS certificate and its endpoint.
+    /// Expiration is based solely on certificate.NotAfter.
+    /// </summary>
+    internal interface ICertificateCache
+    {
+        /// <summary>
+        /// Try to get a cached certificate+endpoint+clientId for the specified cacheKey.
+        /// Returns true and non-null outputs if found and not expired.
+        /// </summary>
+        bool TryGet(
+            string cacheKey, 
+            out CertificateCacheValue value, 
+            ILoggerAdapter logger = null);
+
+        /// <summary>
+        /// Insert or replace the cached certificate+endpoint+clientId for cacheKey.
+        /// </summary>
+        void Set(
+            string cacheKey,
+            in CertificateCacheValue value,
+            ILoggerAdapter logger = null);
+
+        /// <summary>Remove an entry if present.</summary>
+        bool Remove(string cacheKey, ILoggerAdapter logger = null);
+
+        /// <summary>Clear all entries.</summary>
+        void Clear(ILoggerAdapter logger = null);
+    }
+}