diff --git a/.config/CredScanSuppressions.json b/.config/CredScanSuppressions.json
index db921cc2a2f..3532c5470eb 100644
--- a/.config/CredScanSuppressions.json
+++ b/.config/CredScanSuppressions.json
@@ -24,6 +24,14 @@
     {
       "placeholder": "thisIsAFakeSecret",
       "_justification": "This isn't a real secret, it's used in one of the playground applications for testing purposes."
+    },
+    {
+      "file": "\\tests\\Shared\\TestCertificates\\eku.client.pfx",
+      "_justification": "Legitimate UT certificate file with private key, from dotnet/aspnetcore"
+    },
+    {
+      "file": "\\tests\\Shared\\TestCertificates\\testCert.pfx",
+      "_justification": "Legitimate UT certificate file with private key, from dotnet/aspnetcore"
     }
   ]
 }
diff --git a/tests/Shared/TestCertificates/README.md b/tests/Shared/TestCertificates/README.md
index 2e736f9d538..5bc3a334067 100644
--- a/tests/Shared/TestCertificates/README.md
+++ b/tests/Shared/TestCertificates/README.md
@@ -3,3 +3,7 @@
 Unless otherwise stated, these certificates are copied from dotnet/aspnetcore:
 
 https://github.com/dotnet/aspnetcore/tree/main/src/Shared/TestCertificates
+
+If you add more, please also copy the suppression entries from this file in dotnet/aspnetcore:
+
+.config\CredScanSuppressions.json