- 10 minutes to read
FAQ - Certificate Testing Scenarios for Private Key Monitoring
This guide provides PowerShell 7 scripts to create test certificates for validating Nodinite Private Key Health Monitoring features. Use these scenarios to test certificate monitoring capabilities in development or staging environments.
PowerShell 7 Required
These scripts are designed for PowerShell 7 and use modern certificate management features. Ensure you're running PowerShell 7 or later for full compatibility.
Warning
These scripts are for testing purposes only. Never use weak certificates or exportable private keys in production environments.
Testing Scenarios Overview
Create comprehensive test certificates to validate all aspects of certificate monitoring and private key health detection:
| Scenario | Test Case | Expected State | Description |
|---|---|---|---|
| 1. Missing Private Key | Certificate without accessible private key | ❌ Error | Tests detection when certificate exists but private key is missing or inaccessible |
| 2. Exportable Private Key | Certificate with exportable private key | ⚠️ Warning | Tests security risk detection for private keys that can be exported |
| 3. Weak Cryptography | 1024-bit RSA certificate | ⚠️ Warning | Tests detection of cryptographically weak key lengths |
| 4. Healthy Certificate | 2048-bit non-exportable RSA | ✅ OK | Tests baseline monitoring for properly configured certificates |
Quick Start Options
- Individual Testing: Jump to specific scenarios using the links above
- Comprehensive Testing: Use the Batch Testing Script to create all scenarios at once
- Validation Guide: Follow Usage Instructions for monitoring verification steps
Testing Scenario 1: Certificate Without Private Key
Use Case: Test monitoring detection of certificates where the private key is missing or inaccessible.
PowerShell Script
# Create certificate with private key, then export/import to remove private key access
Write-Host "Creating certificate without accessible private key..." -ForegroundColor Cyan
# Step 1: Create certificate with private key
$cert = New-SelfSignedCertificate `
-Subject "CN=TestCert-NoPrivateKey, O=Nodinite Testing" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyLength 2048 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256 `
-NotAfter (Get-Date).AddDays(90) `
-KeyUsage DigitalSignature, KeyEncipherment
Write-Host "✓ Certificate created with thumbprint: $($cert.Thumbprint)" -ForegroundColor Green
# Step 2: Export certificate without private key
$exportPath = "$env:TEMP\TestCert-NoPrivateKey.cer"
Export-Certificate -Cert $cert -FilePath $exportPath -Type CERT
Write-Host "✓ Certificate exported to: $exportPath" -ForegroundColor Green
# Step 3: Remove original certificate (with private key)
Remove-Item -Path "Cert:\LocalMachine\My\$($cert.Thumbprint)" -Force
Write-Host "✓ Original certificate with private key removed" -ForegroundColor Yellow
# Step 4: Import certificate back (without private key)
$importedCert = Import-Certificate -FilePath $exportPath -CertStoreLocation "Cert:\LocalMachine\My"
Write-Host "✓ Certificate re-imported without private key access" -ForegroundColor Green
Write-Host " Thumbprint: $($importedCert.Thumbprint)" -ForegroundColor White
# Verification
$testCert = Get-Item -Path "Cert:\LocalMachine\My\$($importedCert.Thumbprint)"
if ($testCert.HasPrivateKey) {
Write-Host "⚠️ Certificate shows HasPrivateKey=True but private key may not be accessible" -ForegroundColor Yellow
} else {
Write-Host "✓ Certificate HasPrivateKey=False - monitoring should detect missing private key" -ForegroundColor Green
}
# Cleanup instruction
Write-Host "`n Cleanup Command:" -ForegroundColor Magenta
Write-Host "Remove-Item 'Cert:\LocalMachine\My\$($importedCert.Thumbprint)' -Force" -ForegroundColor White
Expected Result - Scenario 1
- State: ❌ Error
- Detection: Certificate exists but private key is missing or inaccessible
- Alert: Private key health check failure
Testing Scenario 2: Exportable Private Key
Use Case: Test monitoring detection of certificates with exportable private keys (security risk).
Scenario 2 Script
# Create certificate with exportable private key
Write-Host "Creating certificate with exportable private key..." -ForegroundColor Cyan
$cert = New-SelfSignedCertificate `
-Subject "CN=TestCert-ExportableKey, O=Nodinite Testing" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyLength 2048 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256 `
-KeyExportPolicy Exportable `
-NotAfter (Get-Date).AddDays(90) `
-KeyUsage DigitalSignature, KeyEncipherment
Write-Host "✓ Certificate created with exportable private key" -ForegroundColor Green
Write-Host " Thumbprint: $($cert.Thumbprint)" -ForegroundColor White
Write-Host " Subject: $($cert.Subject)" -ForegroundColor White
# Verification - Test if private key is actually exportable
try {
$exportPath = "$env:TEMP\TestExportableKey.pfx"
$password = ConvertTo-SecureString -String "TestPassword123!" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath $exportPath -Password $password -Force | Out-Null
Write-Host "✓ Private key export successful - key is exportable" -ForegroundColor Yellow
Remove-Item $exportPath -Force -ErrorAction SilentlyContinue
} catch {
Write-Host "✗ Private key export failed: $($_.Exception.Message)" -ForegroundColor Red
}
# Display certificate properties
$certDetails = Get-Item -Path "Cert:\LocalMachine\My\$($cert.Thumbprint)"
Write-Host "`n Certificate Properties:" -ForegroundColor Cyan
Write-Host " HasPrivateKey: $($certDetails.HasPrivateKey)" -ForegroundColor White
Write-Host " KeyAlgorithm: $($certDetails.PublicKey.Key.KeySize)-bit $($certDetails.PublicKey.Oid.FriendlyName)" -ForegroundColor White
# Cleanup instruction
Write-Host "`n Cleanup Command:" -ForegroundColor Magenta
Write-Host "Remove-Item 'Cert:\LocalMachine\My\$($cert.Thumbprint)' -Force" -ForegroundColor White
Expected Result - Scenario 2
- State: ⚠️ Warning
- Detection: Private key is exportable (security risk)
- Alert: Exportable private key detected
Testing Scenario 3: Weak Key Length (1024-bit RSA)
Use Case: Test monitoring detection of certificates with weak cryptographic key lengths.
Scenario 3 Script
# Create certificate with weak 1024-bit RSA key
Write-Host "Creating certificate with weak 1024-bit RSA key..." -ForegroundColor Cyan
$cert = New-SelfSignedCertificate `
-Subject "CN=TestCert-WeakKey, O=Nodinite Testing" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyLength 1024 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256 `
-KeyExportPolicy NonExportable `
-NotAfter (Get-Date).AddDays(90) `
-KeyUsage DigitalSignature, KeyEncipherment
Write-Host "✓ Certificate created with 1024-bit RSA key (weak)" -ForegroundColor Yellow
Write-Host " Thumbprint: $($cert.Thumbprint)" -ForegroundColor White
Write-Host " Subject: $($cert.Subject)" -ForegroundColor White
# Display key strength details
$certDetails = Get-Item -Path "Cert:\LocalMachine\My\$($cert.Thumbprint)"
Write-Host "`n Key Strength Analysis:" -ForegroundColor Yellow
Write-Host " Algorithm: $($certDetails.PublicKey.Oid.FriendlyName)" -ForegroundColor White
Write-Host " Key Size: $($certDetails.PublicKey.Key.KeySize) bits" -ForegroundColor Red
Write-Host " Security Level: WEAK (minimum recommended: 2048 bits)" -ForegroundColor Red
Write-Host " Hash Algorithm: $($certDetails.SignatureAlgorithm.FriendlyName)" -ForegroundColor White
# Additional security context
Write-Host "`n Security Context:" -ForegroundColor Cyan
Write-Host " • 1024-bit RSA keys are deprecated by NIST (SP 800-57)" -ForegroundColor White
Write-Host " • Industry standard minimum is 2048-bit RSA" -ForegroundColor White
Write-Host " • This certificate should trigger a security warning" -ForegroundColor White
# Cleanup instruction
Write-Host "`n Cleanup Command:" -ForegroundColor Magenta
Write-Host "Remove-Item 'Cert:\LocalMachine\My\$($cert.Thumbprint)' -Force" -ForegroundColor White
Expected Result - Scenario 3
- State: ⚠️ Warning or ❌ Error (based on policy)
- Detection: Key length below security standards (< 2048 bits)
- Alert: Weak cryptographic key detected
Testing Scenario 4: Healthy Certificate (2048-bit Non-exportable RSA)
Use Case: Test monitoring of a properly configured certificate that should show healthy status.
Scenario 4 Script
# Create secure certificate with best practices
Write-Host "Creating healthy certificate with security best practices..." -ForegroundColor Cyan
$cert = New-SelfSignedCertificate `
-Subject "CN=TestCert-Healthy, O=Nodinite Testing" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyLength 2048 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256 `
-KeyExportPolicy NonExportable `
-NotAfter (Get-Date).AddDays(365) `
-KeyUsage DigitalSignature, KeyEncipherment `
-EnhancedKeyUsage "1.3.6.1.5.5.7.3.1" # Server Authentication
Write-Host "✓ Healthy certificate created successfully" -ForegroundColor Green
Write-Host " Thumbprint: $($cert.Thumbprint)" -ForegroundColor White
Write-Host " Subject: $($cert.Subject)" -ForegroundColor White
# Display security properties
$certDetails = Get-Item -Path "Cert:\LocalMachine\My\$($cert.Thumbprint)"
Write-Host "`n Security Properties:" -ForegroundColor Green
Write-Host " Algorithm: $($certDetails.PublicKey.Oid.FriendlyName)" -ForegroundColor White
Write-Host " Key Size: $($certDetails.PublicKey.Key.KeySize) bits (Strong)" -ForegroundColor Green
Write-Host " Hash Algorithm: $($certDetails.SignatureAlgorithm.FriendlyName)" -ForegroundColor White
Write-Host " Private Key: $($certDetails.HasPrivateKey) (Non-exportable)" -ForegroundColor Green
Write-Host " Valid Until: $($certDetails.NotAfter.ToString('yyyy-MM-dd'))" -ForegroundColor White
# Test private key accessibility
try {
$privateKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($certDetails)
if ($privateKey) {
Write-Host " Private Key Access: ✓ Available and accessible" -ForegroundColor Green
}
} catch {
Write-Host " Private Key Access: ✗ Error accessing private key" -ForegroundColor Red
}
# Calculate days until expiration
$daysUntilExpiry = ($certDetails.NotAfter - (Get-Date)).Days
Write-Host "`n Expiration Status:" -ForegroundColor Cyan
Write-Host " Days Until Expiry: $daysUntilExpiry days" -ForegroundColor White
if ($daysUntilExpiry -gt 90) {
Write-Host " Status: ✓ Well within expiration threshold" -ForegroundColor Green
} elseif ($daysUntilExpiry -gt 30) {
Write-Host " Status: ⚠️ Approaching expiration (< 90 days)" -ForegroundColor Yellow
} else {
Write-Host " Status: ⚠️ Critical - Expires soon (< 30 days)" -ForegroundColor Red
}
# Cleanup instruction
Write-Host "`n Cleanup Command:" -ForegroundColor Magenta
Write-Host "Remove-Item 'Cert:\LocalMachine\My\$($cert.Thumbprint)' -Force" -ForegroundColor White
Expected Result - Scenario 4
- State: ✅ OK
- Detection: Strong key, non-exportable, valid, not expiring soon
- Alert: No alerts (healthy certificate)
Batch Testing Script
Create all four test scenarios at once:
Complete Test Suite
# Nodinite Certificate Testing Suite
Write-Host "=== Nodinite Certificate Testing Suite ===" -ForegroundColor Magenta
Write-Host "Creating all four certificate testing scenarios..." -ForegroundColor Cyan
$certificates = @()
try {
# Scenario 1: Certificate without private key
Write-Host "`n1. Creating certificate without private key..." -ForegroundColor Yellow
$cert1 = New-SelfSignedCertificate -Subject "CN=Test-NoPrivateKey" -CertStoreLocation "Cert:\LocalMachine\My" -KeyLength 2048
$exportPath = "$env:TEMP\TestCert-NoPrivateKey.cer"
Export-Certificate -Cert $cert1 -FilePath $exportPath -Type CERT | Out-Null
Remove-Item -Path "Cert:\LocalMachine\My\$($cert1.Thumbprint)" -Force
$cert1Import = Import-Certificate -FilePath $exportPath -CertStoreLocation "Cert:\LocalMachine\My"
$certificates += @{Name="No Private Key"; Thumbprint=$cert1Import.Thumbprint; Expected="Error"}
Remove-Item $exportPath -Force
# Scenario 2: Exportable private key
Write-Host "2. Creating certificate with exportable private key..." -ForegroundColor Yellow
$cert2 = New-SelfSignedCertificate -Subject "CN=Test-ExportableKey" -CertStoreLocation "Cert:\LocalMachine\My" -KeyLength 2048 -KeyExportPolicy Exportable
$certificates += @{Name="Exportable Key"; Thumbprint=$cert2.Thumbprint; Expected="Warning"}
# Scenario 3: Weak key length
Write-Host "3. Creating certificate with weak 1024-bit key..." -ForegroundColor Yellow
$cert3 = New-SelfSignedCertificate -Subject "CN=Test-WeakKey" -CertStoreLocation "Cert:\LocalMachine\My" -KeyLength 1024 -KeyExportPolicy NonExportable
$certificates += @{Name="Weak Key (1024-bit)"; Thumbprint=$cert3.Thumbprint; Expected="Warning/Error"}
# Scenario 4: Healthy certificate
Write-Host "4. Creating healthy certificate..." -ForegroundColor Yellow
$cert4 = New-SelfSignedCertificate -Subject "CN=Test-Healthy" -CertStoreLocation "Cert:\LocalMachine\My" -KeyLength 2048 -KeyExportPolicy NonExportable -NotAfter (Get-Date).AddDays(365)
$certificates += @{Name="Healthy Certificate"; Thumbprint=$cert4.Thumbprint; Expected="OK"}
# Summary
Write-Host "`n=== Test Certificate Summary ===" -ForegroundColor Magenta
foreach ($cert in $certificates) {
Write-Host "$($cert.Name): $($cert.Thumbprint) (Expected: $($cert.Expected))" -ForegroundColor White
}
Write-Host "`n Next Steps:" -ForegroundColor Cyan
Write-Host "1. Configure Nodinite to monitor LocalMachine\My certificate store" -ForegroundColor White
Write-Host "2. Wait for monitoring agent to discover certificates" -ForegroundColor White
Write-Host "3. Verify each certificate shows expected monitoring state" -ForegroundColor White
Write-Host "4. Test alert notifications for Warning/Error states" -ForegroundColor White
# Cleanup script
Write-Host "`n Cleanup All Test Certificates:" -ForegroundColor Magenta
foreach ($cert in $certificates) {
Write-Host "Remove-Item 'Cert:\LocalMachine\My\$($cert.Thumbprint)' -Force" -ForegroundColor Gray
}
} catch {
Write-Host "Error creating test certificates: $($_.Exception.Message)" -ForegroundColor Red
}
Usage Instructions
Running the Scripts
Open PowerShell 7 as Administrator
# Ensure you're using PowerShell 7 and run as Administrator # Required for LocalMachine certificate store access Start-Process pwsh -Verb RunAs # Verify PowerShell version $PSVersionTable.PSVersion # Should show 7.x.x or higherRun Individual Scenarios
- Copy and paste each scenario script
- Monitor the certificate in Nodinite interface
- Verify expected monitoring state
Run Complete Test Suite
- Use the batch script to create all scenarios
- Monitor all certificates simultaneously
- Compare actual vs expected results
Monitoring Verification
After creating test certificates:
- Agent Discovery: Wait 1-2 minutes for monitoring agent to discover new certificates
- Monitor Views: Check certificate resources appear in Monitor Views
- State Verification: Confirm each certificate shows expected state (OK/Warning/Error)
- Alert Testing: Verify Warning/Error certificates trigger notifications
Cleanup
Always clean up test certificates after validation:
# Remove all test certificates (adjust thumbprints as needed)
Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*Test*"} | Remove-Item -Force
Troubleshooting
Common Issues
Q: Certificate shows HasPrivateKey=True but monitoring reports missing private key
A: This can happen when the private key exists but is not accessible to the monitoring service account. Verify service account permissions to the private key.
Q: 1024-bit certificate doesn't trigger weak key warning
A: Check monitoring agent configuration for key strength policies. Some policies may be disabled by default.
Q: Exportable key detection not working
A: Exportable key detection requires specific permissions. Ensure monitoring service account can query certificate key properties.
Next Steps
Run PowerShell Scripts - Execute individual or batch testing scenarios
Verify Monitoring Results - Confirm expected certificate states in Nodinite
Clean Up Test Certificates - Remove test certificates after validation
Related Topics
Certificate Overview
Certificate Monitoring
Certificate Configuration
FAQ: Certificates for gMSA Accounts