diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index aac73451676..6caab7611f4 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -859,6 +859,7 @@ WORKSPACE.bazel @10gen/devprod-build @svc-auto-approve-bot
 
 # The following patterns are parsed from ./jstests/core/testing/OWNERS.yml
 /jstests/core/testing/**/* @10gen/server-programmability @svc-auto-approve-bot
+/jstests/core/testing/**/certs_are_generated.js @10gen/server-security @svc-auto-approve-bot
 
 # The following patterns are parsed from ./jstests/core/timeseries/OWNERS.yml
 /jstests/core/timeseries/**/* @10gen/server-collection-write-path @svc-auto-approve-bot
diff --git a/BUILD.bazel b/BUILD.bazel
index e7e18292fba..fa0aec26531 100644
--- a/BUILD.bazel
+++ b/BUILD.bazel
@@ -180,6 +180,9 @@ mongo_install(
 mongo_install(
     name = "devcore",
     srcs = [],
+    root_files = {
+        "//x509:generate_main_certificates": "bin/x509",
+    },
     deps = [
         "mongo",
         "mongod",
@@ -305,8 +308,11 @@ mongo_install(
     root_files = select({
         "@platforms//os:linux": {
             "//src/mongo/db/extension/test_examples:extension_options_configs": "etc/mongo/extensions",
+            "//x509:generate_main_certificates": "bin/x509",
+        },
+        "//conditions:default": {
+            "//x509:generate_main_certificates": "bin/x509",
         },
-        "//conditions:default": {},
     }),
     try_zstd = True,
     deps = [
diff --git a/buildscripts/resmokeconfig/BUILD.bazel b/buildscripts/resmokeconfig/BUILD.bazel
index 0bd8ed07f30..5dac61f36e7 100644
--- a/buildscripts/resmokeconfig/BUILD.bazel
+++ b/buildscripts/resmokeconfig/BUILD.bazel
@@ -44,6 +44,7 @@ resmoke_suite_test(
         "//jstests/sharding/libs:last_lts_mongos_commands.js",
         "//jstests/third_party/fast_check:fc-3.1.0.js",
         "//src/third_party/schemastore.org:schemas",
+        "//x509:generate_main_certificates",
     ],
     exclude_files = [
         # Transactions are not supported on MongoDB standalone nodes, so we do not run these tests in the
diff --git a/jstests/core/testing/OWNERS.yml b/jstests/core/testing/OWNERS.yml
index 358540f30a8..971897da123 100644
--- a/jstests/core/testing/OWNERS.yml
+++ b/jstests/core/testing/OWNERS.yml
@@ -3,3 +3,6 @@ filters:
   - "*":
     approvers:
       - 10gen/server-programmability
+  - "certs_are_generated.js":
+    approvers:
+      - 10gen/server-security
diff --git a/jstests/core/testing/certs_are_generated.js b/jstests/core/testing/certs_are_generated.js
new file mode 100644
index 00000000000..5a855b41d11
--- /dev/null
+++ b/jstests/core/testing/certs_are_generated.js
@@ -0,0 +1,22 @@
+/**
+ * Tests that certificate generation is always complete when running resmoke tests.
+ * @tags: [
+ *   # This test relies on the installation directory structure, and thus does not work properly on
+ *   # SELinux.
+ *   no_selinux,
+ * ]
+ */
+
+let installDir = _getEnv("INSTALL_DIR");
+if (installDir === "") {
+    installDir = ".";
+}
+const pathsep = _isWindows() ? "\\" : "/";
+const certDir = installDir + pathsep + "x509";
+jsTest.log.info(certDir);
+
+jsTest.log.info(ls(installDir));
+jsTest.log.info(ls(certDir));
+
+assert(fileExists(certDir + pathsep + "ca.pem"));
+assert(fileExists(certDir + pathsep + "crl.pem.digest.sha1"));