Certificate Management Operations

Manage X509 certificates directly from Nodinite with comprehensive viewing and editing operations for certificate details, thresholds, and lifecycle management.

View Certificate Details

Comprehensive certificate information including all security assessment data across all monitoring phases.

Basic Certificate Information

• Friendly Name / Display Name - User-friendly certificate identifier
• Subject Name - Certificate subject distinguished name
• Issuer Name (Issued By) - Certificate issuer/CA name
• Serial Number - Unique certificate serial identifier
• Thumbprint (SHA-1) - Certificate hash fingerprint

Certificate Validity Period

• Valid From (Issue Date) - Certificate creation/signing date
• Valid Until (Expiration Date) - Certificate expiration date
• Days Until Expiration - Calculated remaining days (or days expired if negative)
• Days Since Issue - Certificate age in days

Phase 1: Private Key Health Information

• Private Key Present - Yes / No / Unknown
• Private Key Exportable - Yes / No / Unknown (security risk if Yes)
• Private Key Size (bits) - RSA/ECDSA key length in bits
• Phase 1 Assessment - If missing or exportable, security warning displayed

Phase 1 State Examples

✅ OK - Healthy Private Key:

Private Key Present: Yes
Private Key Accessible: Yes
Private Key Exportable: No (Secure)
Private Key Size: 2048 bits (RSA)
Phase 1 Status: ✅ OK (Proper security posture)

⚠️ WARNING - Exportable Private Key:

Private Key Present: Yes
Private Key Accessible: Yes
Private Key Exportable: Yes (Security Risk)
Private Key Size: 2048 bits (RSA)
Phase 1 Status: ⚠️ WARNING (Exportable key poses security risk - restrict access)

❌ ERROR - Missing Private Key:

Private Key Present: No
Private Key Accessible: N/A
Private Key Exportable: N/A
Private Key Size: N/A
Phase 1 Status: ❌ ERROR (Certificate cannot be used for encryption/signing - personal store only)

Phase 2: Cryptographic Information

• Signature Algorithm - Signing algorithm (e.g., SHA256RSA, SHA384ECDSA)
• Public Key Algorithm - Key type (RSA, ECDSA, DSA, etc.)
• Public Key Size (bits) - RSA/ECDSA key length
• Hash Algorithm - Hash method used for signature (MD5, SHA-1, SHA-256, etc.)
• Phase 2 Alert - If using weak algorithms (MD5, SHA-1), security warning displayed

Phase 2 State Examples

✅ OK - Strong Cryptography:

Signature Algorithm: SHA256RSA
Public Key Algorithm: RSA
Public Key Size: 2048 bits
Hash Algorithm: SHA-256
Phase 2 Status: ✅ OK (Strong modern cryptography)

⚠️ WARNING - Weak Cryptography:

Signature Algorithm: SHA1RSA
Public Key Algorithm: RSA
Public Key Size: 1024 bits
Hash Algorithm: SHA-1 (Deprecated)
Phase 2 Status: ⚠️ WARNING (Weak algorithm - replace certificate)

❌ ERROR - Severely Weak Cryptography:

Signature Algorithm: MD5RSA
Public Key Algorithm: RSA
Public Key Size: 512 bits
Hash Algorithm: MD5 (Broken)
Phase 2 Status: ❌ ERROR (Broken cryptography - immediate replacement required)

Phase 3: Certificate Chain Validation

• Chain Validation Status - OK / Partial Chain / Untrusted Root / Other Issues
• Chain Details:
  • Leaf Certificate - The end-entity certificate
  • Intermediate CA (if applicable) - Intermediate certificate(s) in chain
  • Root CA - Root certificate authority
• Chain Errors - Specific errors with categorization (Critical/Warning/Info)
• Phase 3 Alert - Specific chain validation errors with remediation steps

Phase 3 State Examples

✅ OK - Valid Chain:

Chain Validation Status: ✅ OK
Leaf: www.example.com (Self)
Intermediate: Contoso Internal CA
Root: Contoso Root CA
Errors: None
Phase 3 Status: ✅ OK (Complete valid chain)

⚠️ WARNING - Partial Chain:

Chain Validation Status: ⚠️ Partial Chain
Leaf: www.example.com (Self)
Intermediate: [Missing - "GlobalSign Intermediate CA"]
Root: [Missing - "GlobalSign Root CA"]
Errors: PartialChain - Missing intermediate certificates
Phase 3 Status: ⚠️ WARNING (Download and install missing intermediates)

❌ ERROR - Untrusted Root:

Chain Validation Status: ❌ Untrusted Root
Leaf: test.example.com (Self)
Intermediate: [None]
Root: Self-Signed Test CA (NOT in trusted store)
Errors: UntrustedRoot - Root certificate not in Trusted Root store
Phase 3 Status: ❌ ERROR (Add root to trusted store or use different certificate)

Phase 4: Certificate Purpose & Enhanced Key Usage (EKU)

• Certificate Purpose - Intended use (Server Auth, Client Auth, Code Signing, etc.)
• Enhanced Key Usage (EKU) - List of EKU OIDs (e.g., 1.3.6.1.5.5.7.3.1 = Server Auth)
• Key Usage Flags - Digital Signature, Key Encipherment, etc.
• Phase 4 Assessment - If multi-purpose or "Any Purpose", warning displayed

Phase 4 State Examples

✅ OK - Single Purpose Certificate:

Purpose: Server Authentication (SSL/TLS)
Enhanced Key Usage (EKU):
  • 1.3.6.1.5.5.7.3.1 (Server Authentication)
Key Usage Flags:
  • Digital Signature ✅
  • Key Encipherment ✅
Phase 4 Status: ✅ OK (Properly scoped for SSL/TLS use)

⚠️ WARNING - Multi-Purpose Certificate:

Purpose: Multiple (Server Auth + Client Auth + Code Signing)
Enhanced Key Usage (EKU):
  • 1.3.6.1.5.5.7.3.1 (Server Authentication)
  • 1.3.6.1.5.5.7.3.2 (Client Authentication)
  • 1.3.6.1.5.5.7.3.3 (Code Signing)
Key Usage Flags:
  • Digital Signature ✅
  • Key Encipherment ✅
  • Non-Repudiation ✅
Phase 4 Status: ⚠️ WARNING (Multi-purpose violates least privilege - consider separate certs)

❌ CRITICAL - "Any Purpose" Certificate:

Purpose: Unrestricted (ANY Purpose)
Enhanced Key Usage (EKU):
  • 2.5.29.37.0 (Any Purpose - UNRESTRICTED)
Key Usage Flags:
  • All flags enabled
Phase 4 Status: ❌ CRITICAL (Any Purpose is security risk - immediate replacement required)

Phase 5: IIS Binding Status

• IIS Binding Present - Yes / No
• Binding Details (if present):
  • IIS Site Name - Site hosting the binding
  • Binding Hostname - Domain/hostname for the binding
  • Port - Usually 443 for HTTPS
  • SNI Enabled - Server Name Indication support
• Hostname Verification:
  • Binding Hostname - Expected hostname
  • Certificate Subject - Certificate CN value
  • Alternate Names (SAN) - Certificate subject alternate names
  • Match Status - ✅ Exact Match / ⚠️ Wildcard Match / ❌ No Match
• Phase 5 Alert - If mismatch or stale binding, warning displayed

Phase 5 State Examples

✅ OK - Exact Match Binding:

IIS Binding Present: Yes
IIS Site: WebServer
Binding Hostname: www.example.com
Port: 443
SNI Enabled: Yes

Hostname Verification:
  Binding: www.example.com
  Subject: www.example.com
  SAN: www.example.com, example.com
  Match: ✅ Exact Match

Phase 5 Status: ✅ OK (Binding valid and hostname matches)

⚠️ WARNING - Wildcard Match Binding:

IIS Binding Present: Yes
IIS Site: APIServer
Binding Hostname: api.example.com
Port: 443
SNI Enabled: Yes

Hostname Verification:
  Binding: api.example.com
  Subject: *.example.com
  SAN: *.example.com, example.com
  Match: ⚠️ Wildcard Match (certificate: *.example.com)

Phase 5 Status: ⚠️ WARNING (Working but wildcard - consider exact match certificate)

❌ ERROR - Hostname Mismatch Binding:

IIS Binding Present: Yes
IIS Site: LegacyApp
Binding Hostname: old.example.com
Port: 443
SNI Enabled: Yes

Hostname Verification:
  Binding: old.example.com
  Subject: www.example.com
  SAN: www.example.com
  Match: ❌ No Match (certificate: www.example.com)

Phase 5 Status: ❌ ERROR (Certificate hostname mismatch - browsers will warn)

Phase 6: Duplicate Certificate Detection

• Duplicate Count - Number of certificates with identical Subject/SAN
• Duplicate List - Thumbprints of all duplicate certificates
• Private Key Status - Which duplicates have private keys (security risk if multiple)
• Store Location - Where each duplicate is stored (LocalMachine, CurrentUser)
• Expiration Dates - Validity period for each duplicate
• Phase 6 Alert - If duplicates exceed threshold or have multiple private keys, warning displayed

Phase 6 State Examples

✅ OK - No Duplicates:

Duplicate Count: 1 (no duplicates)
Phase 6 Status: ✅ OK (Single certificate, no ambiguity)

⚠️ WARNING - Renewal Overlap:

Duplicate Count: 2
Duplicates:
  1. Thumbprint: ABC123... (New - Private Key ✅)
     Valid From: 2025-01-15 | Expires: 2026-01-15
  2. Thumbprint: DEF456... (Old - No Private Key)
     Valid From: 2024-01-15 | Expires: 2025-01-15 (Expired)
Cross-Store Status: None
Phase 6 Status: ⚠️ WARNING (2 duplicates, only 1 with private key - safe to remove old cert)

❌ ERROR - Private Key Ambiguity:

Duplicate Count: 2
Duplicates:
  1. Thumbprint: ABC123... (Private Key ✅)
     Valid From: 2025-01-15 | Expires: 2026-01-15
  2. Thumbprint: DEF456... (Private Key ✅)
     Valid From: 2024-01-15 | Expires: 2025-01-15
Cross-Store Status: None
Phase 6 Status: ❌ ERROR (2 duplicates with private keys - ambiguous selection, app confusion risk)

⚠️ WARNING - Cross-Store Duplicate:

Duplicate Count: 2
Duplicates:
  1. Thumbprint: ABC123... (LocalMachine\My - Private Key ✅)
  2. Thumbprint: ABC123... (CurrentUser\My - Private Key ✅)
Cross-Store Status: ⚠️ Multiple Stores
Phase 6 Status: ⚠️ WARNING (Duplicate across stores - consolidate if not intentional)

⚠️ WARNING - Threshold Exceeded:

Duplicate Count: 5 (exceeds maximum of 1)
Maximum Allowed: 1
Duplicates:
  1. Thumbprint: ABC123... (Current - Private Key ✅)
  2-5. Thumbprint: DEF456, GHI789, JKL012, MNO345 (No Private Key)
Phase 6 Status: ⚠️ WARNING (5 duplicates exceed threshold - cleanup needed)

Duplicate Management Actions

Identify Duplicates

View certificate details to see all duplicates:

• Number of duplicate certificates with same Subject/SAN
• Private key status of each duplicate
• Store location of each duplicate
• Expiration date for renewal planning

Cleanup Duplicates

For Renewal Overlaps:

• Verify new certificate is active and working
• Remove old certificate after overlap period ends
• Confirm IIS bindings point to current certificate

For Multiple Private Keys:

• Identify correct certificate (check application config, IIS bindings)
• Remove private key from unused copies (use Certificate Manager or PowerShell)
• Delete old certificate after removing private key

For Cross-Store Duplicates:

• Decide if cross-store placement is needed
• If not intentional, remove from secondary store
• Consolidate to single store (usually LocalMachine for services)

For Threshold Exceeded:

• Review all duplicates and determine age/purpose
• Remove unnecessary copies
• Keep only current certificate + one backup (if desired)

Comprehensive Certificate Assessment

The certificate details display consolidates findings from all six phases:

• Priority Alerts - Most critical issues first
• Phased Assessment - Each phase shows its specific findings
• Actionable Recommendations - Specific steps to remediate issues
• Lifecycle Status - Expiration details and renewal recommendations
• Duplicate Status - Duplicate count, private key risks, and cross-store information

Edit Certificate-Specific Thresholds

Override global thresholds for individual certificates to accommodate different lifecycle requirements.

Threshold Configuration Interface

Certificate: "www.example.com - Issued By: Contoso Internal CA"
Current Global Thresholds: Warning=30 days, Error=7 days

Override Global Thresholds: [✓ Checked]

Warning Days Before Expiration: [60] days
Error Days Before Expiration: [14] days

[Save] [Cancel] [Revert to Global]

Threshold Configuration Options

• Override Global Thresholds - When checked, use certificate-specific thresholds instead of global defaults
• Warning Days Before Expiration - Days before expiration to show WARNING state (recommended: 30-90 days)
• Error Days Before Expiration - Days before expiration to show ERROR state (recommended: 7-30 days)

Threshold Use Cases

Critical Production Certificates:

Warning: 90 days before expiration (3 months)
Error: 30 days before expiration (1 month)
Rationale: Long lead time for renewal in production environments

Standard Service Certificates:

Warning: 30 days before expiration (default)
Error: 7 days before expiration (default)
Rationale: Adequate time for renewal with normal processes

Development/Test Certificates:

Warning: 7 days before expiration
Error: 1 day before expiration
Rationale: Short lifecycle in dev/test environments, less critical

Non-Production Staging Certificates:

Warning: 14 days before expiration
Error: 3 days before expiration
Rationale: Medium lifecycle, should renew before test cycles

List Expired Certificates

View comprehensive list of expired certificates for bulk remediation and compliance reporting.

Expired Certificates by Store

Generate report of expired certificates grouped by certificate store:

Expired Certificates Report
Generated: 2025-11-15 10:30 UTC
Server: WEB-SERVER-01

LocalMachine\My Store (12 expired):
1. www.example.com - Expired 31 days ago - Issued By: Contoso Internal CA
2. mail.example.com - Expired 36 days ago - Issued By: Contoso Internal CA
3. api.example.com - Expired 5 days ago - Issued By: Contoso Internal CA
... (9 more)

CurrentUser\My Store (0 expired)

Service Account (AppPool1) Store (2 expired):
1. sql-server-cert - Expired 8 days ago - Issued By: Contoso Internal CA
2. app-service-cert - Expired 12 days ago - Issued By: Contoso Internal CA

Total Expired: 14 certificates
Action Required: Renew or replace expired certificates
Estimated Renewal Effort: 3-4 hours (manual remediation)

List Features

• Store Grouping - Certificates organized by store location (LocalMachine, CurrentUser, Service Account)
• Expired Duration - Shows how long past expiration
• Issuer Information - Certificate authority that issued the cert
• Renewal Status - Whether new certificate is available
• Search/Filter - Find specific certificates by name or issuer
• Pagination - Browse large certificate lists
• Export - Download as CSV for spreadsheet analysis

Export Certificate List

Export expired certificates to CSV for compliance reporting and spreadsheet analysis:

Friendly Name,Issued By,Subject,Valid From,Valid Until,Expired Days Ago,IIS Binding,Binding Hostname,Hostname Match,Store
www.example.com,Contoso Internal CA,www.example.com,2024-11-15,2025-11-15,0,Yes,www.example.com,Exact,LocalMachine\My
mail.example.com,Contoso Internal CA,mail.example.com,2024-11-15,2025-11-10,5,No,N/A,N/A,LocalMachine\My
api.example.com,Contoso Internal CA,api.example.com,2024-11-15,2025-11-10,5,Yes,api.example.com,Mismatch,LocalMachine\My

Bulk Remediation Workflows

Workflow: Identify All Production Certs to Renew

1. Open Certificate Store resource (Store category)
2. Click List Expired Certificates
3. Review all expired certificates
4. For each production certificate:
   • Note issuer and subject
   • Request renewal from CA
   • Plan rollout schedule
5. Export list to CSV for tracking

Workflow: Generate Compliance Report

1. List all expired certificates
2. Export to CSV
3. Include in compliance audit:
   • Which certificates expired
   • How long overdue
   • Renewal status
   • Business impact assessment

Next Steps

• Certificate Remote Actions
• Certificate Monitoring Features

Related Topics

• Certificate Configuration
• Certificate Overview
• Certificate Remote Actions
• FAQ: IIS Functionality Testing