- 12 minutes to read
FAQ - Weak Cryptography Testing Scenarios for Algorithm Detection
This guide provides PowerShell 7 scripts to create test certificates for validating Nodinite Phase 2: Weak Cryptography Detection features. Use these scenarios to test algorithm security monitoring capabilities in development or staging environments.
PowerShell 7 Required
These scripts are designed for PowerShell 7 and use modern certificate management features. Ensure you're running PowerShell 7 or later for full compatibility.
Warning
These scripts are for testing purposes only. Never use weak algorithms or deprecated cryptography in production environments.
Example of weak cryptography detection showing MD5RSA signature algorithm and 512-bit RSA public key with security warnings.
Example showing how certificates with weak cryptography appear in Monitor Views - SHA-1 certificates displayed as warning resources with actionable replacement recommendations.
Testing Scenarios Overview
Create comprehensive test certificates to validate all aspects of weak cryptography detection and algorithm security assessment:
| Scenario | Test Case | Expected State | Description |
|---|---|---|---|
| 1. SHA-1 Signature Algorithm | Certificate with SHA-1 signature | ⚠️ Warning | Tests detection of weak SHA-1 signature algorithms vs secure SHA-256 |
| 2. MD5 Hash Algorithm | Certificate with MD5 hash | ❌ Error | Tests detection of critically weak MD5 hash algorithms |
| 3. Weak RSA Public Key | Certificate with 1024-bit RSA public key | ⚠️ Warning | Tests detection of weak RSA public key sizes (different from private key) |
| 4. Strong Modern Cryptography | Certificate with SHA-256 + 2048-bit RSA | ✅ OK | Tests baseline for secure cryptographic algorithms |
Quick Start Options
- Individual Testing: Jump to specific scenarios using the links above
- Comprehensive Testing: Use the Batch Testing Script to create all scenarios at once
- Validation Guide: Follow Usage Instructions for monitoring verification steps
Testing Scenario 1: SHA-1 Signature Algorithm
Use Case: Test monitoring detection of certificates using deprecated SHA-1 signature algorithms.
PowerShell Script
# Create certificate with SHA-1 signature algorithm (deprecated)
Write-Host "Creating certificate with SHA-1 signature algorithm..." -ForegroundColor Cyan
# Note: Modern PowerShell versions may not support SHA-1 directly
# This example shows the concept - actual implementation may require older tools
try {
# Attempt to create SHA-1 signed certificate (limited support in modern systems)
$cert = New-SelfSignedCertificate `
-Subject "CN=TestCert-SHA1-Signature, O=Nodinite Crypto Testing" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyLength 2048 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA1 `
-NotAfter (Get-Date).AddDays(90) `
-KeyUsage DigitalSignature, KeyEncipherment
Write-Host "✓ Certificate created with SHA-1 signature" -ForegroundColor Yellow
Write-Host " Thumbprint: $($cert.Thumbprint)" -ForegroundColor White
Write-Host " Subject: $($cert.Subject)" -ForegroundColor White
# Display cryptographic details
$certDetails = Get-Item -Path "Cert:\LocalMachine\My\$($cert.Thumbprint)"
Write-Host "`n Cryptographic Analysis:" -ForegroundColor Yellow
Write-Host " Signature Algorithm: $($certDetails.SignatureAlgorithm.FriendlyName)" -ForegroundColor Red
Write-Host " Hash Algorithm: SHA-1 (DEPRECATED)" -ForegroundColor Red
Write-Host " Public Key Size: $($certDetails.PublicKey.Key.KeySize) bits" -ForegroundColor White
Write-Host " Security Level: WEAK - SHA-1 is cryptographically broken" -ForegroundColor Red
} catch {
Write-Host "⚠️ SHA-1 certificate creation failed (expected on modern systems)" -ForegroundColor Yellow
Write-Host " Error: $($_.Exception.Message)" -ForegroundColor White
Write-Host "`n Alternative Approach:" -ForegroundColor Cyan
Write-Host " • Use older Windows versions or legacy tools" -ForegroundColor White
Write-Host " • Import existing SHA-1 certificates from test archives" -ForegroundColor White
Write-Host " • Use OpenSSL to generate SHA-1 signed certificates" -ForegroundColor White
}
# Security context
Write-Host "`n Security Context:" -ForegroundColor Red
Write-Host " • SHA-1 collision attacks demonstrated in 2017 (SHAttered)" -ForegroundColor White
Write-Host " • Microsoft deprecated SHA-1 for certificates in 2016" -ForegroundColor White
Write-Host " • Browsers reject SHA-1 certificates for HTTPS" -ForegroundColor White
Write-Host " • This certificate should trigger a cryptography warning" -ForegroundColor White
# Cleanup instruction
Write-Host "`n Cleanup Command:" -ForegroundColor Magenta
Write-Host "Get-ChildItem Cert:\LocalMachine\My | Where-Object {`$_.Subject -like '*SHA1*'} | Remove-Item -Force" -ForegroundColor White
Expected Result - Scenario 1
- State: ⚠️ Warning
- Detection: Certificate uses deprecated SHA-1 signature algorithm
- Alert: Weak signature algorithm detected
Testing Scenario 2: MD5 Hash Algorithm
Use Case: Test monitoring detection of certificates using critically weak MD5 hash algorithms.
Scenario 2 Script
# Create certificate with MD5 hash algorithm (critically weak)
Write-Host "Creating certificate with MD5 hash algorithm..." -ForegroundColor Cyan
# Note: MD5 is extremely deprecated - this may not work on modern systems
try {
# This will likely fail on modern Windows - MD5 is blocked
Write-Host "⚠️ Attempting MD5 certificate creation..." -ForegroundColor Yellow
# Modern systems block MD5 - showing for educational purposes
$cert = New-SelfSignedCertificate `
-Subject "CN=TestCert-MD5-Hash, O=Nodinite Crypto Testing" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyLength 2048 `
-KeyAlgorithm RSA `
-HashAlgorithm MD5 `
-NotAfter (Get-Date).AddDays(90)
# This code won't execute on modern systems
Write-Host "✗ Unexpected: MD5 certificate created" -ForegroundColor Red
Write-Host " This should not succeed on secure systems!" -ForegroundColor Red
} catch {
Write-Host "✓ MD5 certificate creation blocked (expected behavior)" -ForegroundColor Green
Write-Host " Error: $($_.Exception.Message)" -ForegroundColor White
Write-Host "`n System Security:" -ForegroundColor Green
Write-Host " • Modern Windows blocks MD5 certificate creation" -ForegroundColor White
Write-Host " • This is correct security behavior" -ForegroundColor White
Write-Host " • MD5 has been broken since 2004" -ForegroundColor White
}
# Alternative demonstration approach
Write-Host "`n Testing MD5 Detection:" -ForegroundColor Cyan
Write-Host "Since modern systems block MD5 creation:" -ForegroundColor White
Write-Host " 1. Import legacy MD5 certificates from test archives" -ForegroundColor White
Write-Host " 2. Use specialized tools like OpenSSL with force flags" -ForegroundColor White
Write-Host " 3. Test with historical certificates from security labs" -ForegroundColor White
# Security context
Write-Host "`n Critical Security Issues:" -ForegroundColor Red
Write-Host " • MD5 collision attacks practical since 2004" -ForegroundColor White
Write-Host " • Flame malware used MD5 collisions (2012)" -ForegroundColor White
Write-Host " • RFC 6151 officially deprecates MD5 (2011)" -ForegroundColor White
Write-Host " • Any MD5 certificate represents critical security risk" -ForegroundColor White
Write-Host "`n Monitoring Expectation:" -ForegroundColor Cyan
Write-Host "MD5 certificates should trigger ERROR-level alerts" -ForegroundColor Red
Expected Result - Scenario 2
- State: ❌ Error
- Detection: Certificate uses critically weak MD5 hash algorithm
- Alert: Critical cryptographic vulnerability detected
Testing Scenario 3: Weak RSA Public Key
Use Case: Test monitoring detection of certificates with weak RSA public key sizes (distinct from private key monitoring).
Scenario 3 Script
# Create certificate with weak RSA public key size
Write-Host "Creating certificate with weak RSA public key..." -ForegroundColor Cyan
$cert = New-SelfSignedCertificate `
-Subject "CN=TestCert-WeakPublicKey, O=Nodinite Crypto Testing" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyLength 1024 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256 `
-KeyExportPolicy NonExportable `
-NotAfter (Get-Date).AddDays(90) `
-KeyUsage DigitalSignature, KeyEncipherment
Write-Host "✓ Certificate created with weak public key" -ForegroundColor Yellow
Write-Host " Thumbprint: $($cert.Thumbprint)" -ForegroundColor White
Write-Host " Subject: $($cert.Subject)" -ForegroundColor White
# Analyze public key properties
$certDetails = Get-Item -Path "Cert:\LocalMachine\My\$($cert.Thumbprint)"
Write-Host "`n Public Key Analysis:" -ForegroundColor Yellow
Write-Host " Public Key Algorithm: $($certDetails.PublicKey.Oid.FriendlyName)" -ForegroundColor White
Write-Host " Public Key Size: $($certDetails.PublicKey.Key.KeySize) bits" -ForegroundColor Red
Write-Host " Signature Algorithm: $($certDetails.SignatureAlgorithm.FriendlyName)" -ForegroundColor White
Write-Host " Security Assessment: WEAK (below 2048-bit minimum)" -ForegroundColor Red
# Compare with private key monitoring
Write-Host "`n Public vs Private Key Monitoring:" -ForegroundColor Cyan
Write-Host " • Private Key Monitoring: Checks key accessibility and exportability" -ForegroundColor White
Write-Host " • Public Key Monitoring: Checks cryptographic strength of the key pair" -ForegroundColor White
Write-Host " • Both 1024-bit: Private key health AND public key strength are weak" -ForegroundColor Yellow
Write-Host " • Different concerns: Access security vs cryptographic security" -ForegroundColor White
# Security implications
Write-Host "`n Security Implications:" -ForegroundColor Yellow
Write-Host " • 1024-bit RSA factorization is feasible with modern computing" -ForegroundColor White
Write-Host " • NIST recommends 2048-bit minimum (SP 800-57)" -ForegroundColor White
Write-Host " • EU eIDAS requires 3072-bit for qualified certificates" -ForegroundColor White
Write-Host " • This certificate should trigger public key strength warning" -ForegroundColor White
# Cleanup instruction
Write-Host "`n Cleanup Command:" -ForegroundColor Magenta
Write-Host "Remove-Item 'Cert:\LocalMachine\My\$($cert.Thumbprint)' -Force" -ForegroundColor White
Expected Result - Scenario 3
- State: ⚠️ Warning
- Detection: RSA public key size below security standards (< 2048 bits)
- Alert: Weak public key cryptographic strength detected
Testing Scenario 4: Strong Modern Cryptography
Use Case: Test monitoring of certificates with modern, secure cryptographic algorithms and key sizes.
Scenario 4 Script
# Create certificate with strong modern cryptography
Write-Host "Creating certificate with strong modern cryptography..." -ForegroundColor Cyan
$cert = New-SelfSignedCertificate `
-Subject "CN=TestCert-StrongCrypto, O=Nodinite Crypto Testing" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyLength 2048 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256 `
-KeyExportPolicy NonExportable `
-NotAfter (Get-Date).AddDays(365) `
-KeyUsage DigitalSignature, KeyEncipherment `
-EnhancedKeyUsage "1.3.6.1.5.5.7.3.1" # Server Authentication
Write-Host "✓ Strong cryptography certificate created successfully" -ForegroundColor Green
Write-Host " Thumbprint: $($cert.Thumbprint)" -ForegroundColor White
Write-Host " Subject: $($cert.Subject)" -ForegroundColor White
# Display strong cryptography properties
$certDetails = Get-Item -Path "Cert:\LocalMachine\My\$($cert.Thumbprint)"
Write-Host "`n Cryptographic Strength Analysis:" -ForegroundColor Green
Write-Host " Signature Algorithm: $($certDetails.SignatureAlgorithm.FriendlyName)" -ForegroundColor Green
Write-Host " Hash Function: SHA-256 (Strong)" -ForegroundColor Green
Write-Host " Public Key Algorithm: $($certDetails.PublicKey.Oid.FriendlyName)" -ForegroundColor White
Write-Host " Public Key Size: $($certDetails.PublicKey.Key.KeySize) bits (Strong)" -ForegroundColor Green
Write-Host " Security Assessment: SECURE - Meets modern standards" -ForegroundColor Green
# Modern cryptography context
Write-Host "`n Modern Security Standards:" -ForegroundColor Cyan
Write-Host " • SHA-256: Secure hash function, no known weaknesses" -ForegroundColor White
Write-Host " • 2048-bit RSA: Secure until ~2030 (NIST projection)" -ForegroundColor White
Write-Host " • Non-exportable private key: Additional security layer" -ForegroundColor White
Write-Host " • Current industry best practices compliance" -ForegroundColor White
# Future considerations
Write-Host "`n Future-Proofing Notes:" -ForegroundColor Blue
Write-Host " • Consider 3072-bit RSA for long-term use (post-2030)" -ForegroundColor White
Write-Host " • ECC P-256 offers equivalent security with smaller keys" -ForegroundColor White
Write-Host " • Monitor for SHA-3 adoption in future standards" -ForegroundColor White
Write-Host " • Quantum-resistant algorithms in development (NIST PQC)" -ForegroundColor White
# Cleanup instruction
Write-Host "`n Cleanup Command:" -ForegroundColor Magenta
Write-Host "Remove-Item 'Cert:\LocalMachine\My\$($cert.Thumbprint)' -Force" -ForegroundColor White
Expected Result - Scenario 4
- State: ✅ OK
- Detection: Strong cryptographic algorithms and adequate key sizes
- Alert: No alerts (secure modern cryptography)
Batch Testing Script
Create all four cryptographic test scenarios at once:
Complete Cryptography Test Suite
# Nodinite Weak Cryptography Testing Suite
Write-Host "=== Nodinite Weak Cryptography Testing Suite ===" -ForegroundColor Magenta
Write-Host "Creating cryptographic algorithm testing scenarios..." -ForegroundColor Cyan
$certificates = @()
try {
Write-Host "`n Note: Some scenarios may fail on modern systems due to security restrictions" -ForegroundColor Blue
# Scenario 1: SHA-1 signature (may fail on modern systems)
Write-Host "`n1. Attempting SHA-1 signature certificate..." -ForegroundColor Yellow
try {
$cert1 = New-SelfSignedCertificate -Subject "CN=Test-SHA1" -CertStoreLocation "Cert:\LocalMachine\My" -KeyLength 2048 -HashAlgorithm SHA1
$certificates += @{Name="SHA-1 Signature"; Thumbprint=$cert1.Thumbprint; Expected="Warning"; Created=$true}
Write-Host " ✓ SHA-1 certificate created" -ForegroundColor Yellow
} catch {
Write-Host " ⚠️ SHA-1 creation blocked (modern security)" -ForegroundColor Yellow
$certificates += @{Name="SHA-1 Signature"; Thumbprint="N/A"; Expected="Warning"; Created=$false}
}
# Scenario 2: MD5 hash (will likely fail)
Write-Host "2. Attempting MD5 hash certificate..." -ForegroundColor Yellow
try {
$cert2 = New-SelfSignedCertificate -Subject "CN=Test-MD5" -CertStoreLocation "Cert:\LocalMachine\My" -KeyLength 2048 -HashAlgorithm MD5
$certificates += @{Name="MD5 Hash"; Thumbprint=$cert2.Thumbprint; Expected="Error"; Created=$true}
Write-Host " ⚠️ MD5 certificate created (security risk!)" -ForegroundColor Red
} catch {
Write-Host " ✓ MD5 creation blocked (correct security behavior)" -ForegroundColor Green
$certificates += @{Name="MD5 Hash"; Thumbprint="N/A"; Expected="Error"; Created=$false}
}
# Scenario 3: Weak RSA public key
Write-Host "3. Creating weak RSA public key certificate..." -ForegroundColor Yellow
$cert3 = New-SelfSignedCertificate -Subject "CN=Test-WeakRSA" -CertStoreLocation "Cert:\LocalMachine\My" -KeyLength 1024 -KeyExportPolicy NonExportable
$certificates += @{Name="Weak RSA (1024-bit)"; Thumbprint=$cert3.Thumbprint; Expected="Warning"; Created=$true}
# Scenario 4: Strong modern cryptography
Write-Host "4. Creating strong cryptography certificate..." -ForegroundColor Yellow
$cert4 = New-SelfSignedCertificate -Subject "CN=Test-Strong" -CertStoreLocation "Cert:\LocalMachine\My" -KeyLength 2048 -HashAlgorithm SHA256 -NotAfter (Get-Date).AddDays(365)
$certificates += @{Name="Strong Cryptography"; Thumbprint=$cert4.Thumbprint; Expected="OK"; Created=$true}
# Summary
Write-Host "`n=== Cryptographic Test Summary ===" -ForegroundColor Magenta
foreach ($cert in $certificates) {
if ($cert.Created) {
Write-Host "$($cert.Name): $($cert.Thumbprint) (Expected: $($cert.Expected))" -ForegroundColor White
} else {
Write-Host "$($cert.Name): Creation blocked by system security (Expected: $($cert.Expected))" -ForegroundColor Gray
}
}
Write-Host "`n Next Steps:" -ForegroundColor Cyan
Write-Host "1. Configure Nodinite Phase 2: Weak Cryptography Detection" -ForegroundColor White
Write-Host "2. Wait for monitoring agent to discover certificates" -ForegroundColor White
Write-Host "3. Verify each certificate shows expected cryptographic assessment" -ForegroundColor White
Write-Host "4. Test alert notifications for weak algorithm detection" -ForegroundColor White
# Cleanup script
Write-Host "`n Cleanup All Test Certificates:" -ForegroundColor Magenta
foreach ($cert in $certificates) {
if ($cert.Created -and $cert.Thumbprint -ne "N/A") {
Write-Host "Remove-Item 'Cert:\LocalMachine\My\$($cert.Thumbprint)' -Force" -ForegroundColor Gray
}
}
} catch {
Write-Host "Error in cryptography test suite: $($_.Exception.Message)" -ForegroundColor Red
}
Usage Instructions
Running the Scripts
Open PowerShell 7 as Administrator
# Ensure you're using PowerShell 7 and run as Administrator # Required for LocalMachine certificate store access Start-Process pwsh -Verb RunAs # Verify PowerShell version $PSVersionTable.PSVersion # Should show 7.x.x or higherUnderstand Modern Limitations
- Modern Windows blocks weak algorithms (SHA-1, MD5) for security
- Some test scenarios may fail by design (this is correct behavior)
- Focus on scenarios that succeed for actual testing
Run Individual Scenarios
- Copy and paste each scenario script
- Monitor certificates in Nodinite interface
- Verify expected cryptographic assessment
Monitoring Verification
After creating test certificates:
- Agent Discovery: Wait for monitoring agent to discover new certificates
- Algorithm Analysis: Check that weak cryptography detection identifies issues
- Alert Verification: Confirm appropriate alerts for weak algorithms
- Security Assessment: Validate that strong cryptography shows as secure
Cleanup
Always clean up test certificates after validation:
# Remove all cryptography test certificates
Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*Crypto Testing*"} | Remove-Item -Force
Troubleshooting
Common Scenarios
Q: SHA-1 or MD5 certificate creation fails
A: This is expected behavior on modern Windows systems. These algorithms are blocked for security reasons. Use legacy systems or import existing weak certificates for testing.
Q: All certificates show as "OK" even weak ones
A: Phase 2: Weak Cryptography Detection is not yet implemented. This FAQ prepares for testing when the feature becomes available.
Q: How is this different from Private Key Health monitoring?
A: Private Key Health (Phase 1) checks key accessibility and exportability. Weak Cryptography Detection (Phase 2) checks the mathematical strength of the cryptographic algorithms themselves.
Next Steps
Run Cryptography Test Scripts - Execute individual or batch testing scenarios
Verify Algorithm Detection - Confirm expected cryptographic assessments
Clean Up Test Certificates - Remove test certificates after validation
Related Topics
Certificate Overview
Certificate Monitoring
Certificate Configuration
FAQ: Certificate Testing Scenarios
FAQ: Certificates for gMSA Accounts