diff --git a/.gitignore b/.gitignore
index d67e69afa..85b6139a2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -203,7 +203,7 @@ ClientBin/
 *.dbmdl
 *.dbproj.schemaview
 *.jfm
-*.pfx
+
 *.publishsettings
 orleans.codegen.cs
 
diff --git a/src/BenchmarksApps/TLS/Kestrel/.dockerignore b/src/BenchmarksApps/TLS/Kestrel/.dockerignore
index fe1152bdb..1fa83a693 100644
--- a/src/BenchmarksApps/TLS/Kestrel/.dockerignore
+++ b/src/BenchmarksApps/TLS/Kestrel/.dockerignore
@@ -27,4 +27,7 @@ README.md
 !.git/HEAD
 !.git/config
 !.git/packed-refs
-!.git/refs/heads/**
\ No newline at end of file
+!.git/refs/heads/**
+!testCert-2048.pfx
+!testCert-4096.pfx
+!Certificates/
\ No newline at end of file
diff --git a/src/BenchmarksApps/TLS/Kestrel/Dockerfile b/src/BenchmarksApps/TLS/Kestrel/Dockerfile
index 3be617b54..5ff3eb6c8 100644
--- a/src/BenchmarksApps/TLS/Kestrel/Dockerfile
+++ b/src/BenchmarksApps/TLS/Kestrel/Dockerfile
@@ -22,6 +22,8 @@ WORKDIR /src
 COPY ["Kestrel.csproj", "."]
 RUN dotnet restore "./Kestrel.csproj"
 COPY . .
+# If a `Certificates` folder exists in the build context, copy it to /Certificates so the project Include path (..\Certificates) resolves during build.
+RUN if [ -d "./Certificates" ]; then mkdir -p /Certificates && cp -r ./Certificates/* /Certificates/; fi
 WORKDIR "/src/."
 RUN dotnet build "./Kestrel.csproj" -c $BUILD_CONFIGURATION -o /app/build
 
@@ -30,6 +32,12 @@ FROM build AS publish
 ARG BUILD_CONFIGURATION=Release
 RUN dotnet publish "./Kestrel.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false
 
+# If TLS certificates are present in the build context (copied into /src/Certificates by the earlier COPY . .),
+# copy them into the publish output so the runtime can find them under 'certificates/'.
+RUN mkdir -p /app/publish/certificates || true; \
+    if [ -f ./Certificates/2048/testCert-2048.pfx ]; then cp ./Certificates/2048/testCert-2048.pfx /app/publish/certificates/; fi; \
+    if [ -f ./Certificates/4096/testCert-4096.pfx ]; then cp ./Certificates/4096/testCert-4096.pfx /app/publish/certificates/; fi
+
 # This stage is used in production or when running from VS in regular mode (Default when not using the Debug configuration)
 FROM base AS final
 WORKDIR /app
diff --git a/src/BenchmarksApps/TLS/Kestrel/Dockerfile.azurelinux b/src/BenchmarksApps/TLS/Kestrel/Dockerfile.azurelinux
index 1be70dc4b..90883a220 100644
--- a/src/BenchmarksApps/TLS/Kestrel/Dockerfile.azurelinux
+++ b/src/BenchmarksApps/TLS/Kestrel/Dockerfile.azurelinux
@@ -11,6 +11,11 @@ WORKDIR /src
 COPY ["Kestrel.csproj", "."]
 RUN dotnet restore "./Kestrel.csproj"
 COPY . .
+
+# Always copy the PFX files into the build's /src/Certificates directory (absolute paths to avoid nested src/src)
+COPY ["testCert-2048.pfx", "/src/Certificates/testCert-2048.pfx"]
+COPY ["testCert-4096.pfx", "/src/Certificates/testCert-4096.pfx"]
+
 WORKDIR "/src/."
 RUN dotnet build "./Kestrel.csproj" -c $BUILD_CONFIGURATION -o /app/build
 
@@ -19,9 +24,18 @@ FROM build AS publish
 ARG BUILD_CONFIGURATION=Release
 RUN dotnet publish "./Kestrel.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false
 
+# If TLS certificates are present in the build context (copied into /src/Certificates by the earlier COPY . .),
+# copy them into the publish output so the runtime can find them under 'certificates/'.
+RUN mkdir -p /app/publish/certificates || true; \
+    if [ -f ./Certificates/2048/testCert-2048.pfx ]; then cp ./Certificates/2048/testCert-2048.pfx /app/publish/certificates/; fi; \
+    if [ -f ./Certificates/4096/testCert-4096.pfx ]; then cp ./Certificates/4096/testCert-4096.pfx /app/publish/certificates/; fi
+
 # This stage is used in production or when running from VS in regular mode
 FROM base AS final
 WORKDIR /app
 COPY --from=publish /app/publish .
 
+# Ensure the certificate files copied into the build stage are also present in the final image where the app expects them
+COPY --from=build /src/Certificates /app/certificates
+
 ENTRYPOINT [ "dotnet", "Kestrel.dll" ]
diff --git a/src/BenchmarksApps/TLS/Kestrel/Kestrel.csproj b/src/BenchmarksApps/TLS/Kestrel/Kestrel.csproj
index fa4d10528..418d7adf5 100644
--- a/src/BenchmarksApps/TLS/Kestrel/Kestrel.csproj
+++ b/src/BenchmarksApps/TLS/Kestrel/Kestrel.csproj
@@ -20,13 +20,4 @@
     </None>
   </ItemGroup>
 
-  <ItemGroup>
-    <None Include="..\Certificates\2048\testCert-2048.pfx" Link="certificates\testCert-2048.pfx">
-      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-    </None>
-    <None Include="..\Certificates\4096\testCert-4096.pfx" Link="certificates\testCert-4096.pfx">
-      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-    </None>
-  </ItemGroup>
-
 </Project>
diff --git a/src/BenchmarksApps/TLS/Kestrel/testCert-2048.pfx b/src/BenchmarksApps/TLS/Kestrel/testCert-2048.pfx
new file mode 100644
index 000000000..3137a521b
Binary files /dev/null and b/src/BenchmarksApps/TLS/Kestrel/testCert-2048.pfx differ
diff --git a/src/BenchmarksApps/TLS/Kestrel/testCert-4096.pfx b/src/BenchmarksApps/TLS/Kestrel/testCert-4096.pfx
new file mode 100644
index 000000000..8c1c24b63
Binary files /dev/null and b/src/BenchmarksApps/TLS/Kestrel/testCert-4096.pfx differ