Private Key Health Monitoring

:6.4.0.0: Monitor certificate Private Key Health to detect security risks and accessibility issues including missing keys, exportable keys, and insufficient key lengths.

Overview

Private key health monitoring validates that certificates have secure, accessible private keys with appropriate cryptographic strength. This monitoring detects three critical security issues:

• Missing Private Keys: Certificates without accessible private keys (rendering them unusable)
• Exportable Private Keys: Keys that can be exported pose security risks if compromised
• Weak Key Lengths: Keys below minimum recommended lengths (RSA < 2048 bits, ECDSA < 256 bits)

State Evaluation

Certificates are evaluated based on private key health with the following states:

Condition	State	Description
Private key present, non-exportable, sufficient length	✅ OK	Secure configuration
Private key exportable OR key length below minimum	⚠️ WARNING	Security risk detected
Certificate in Personal store lacks private key	❌ ERROR	Certificate unusable
Certificate not in Personal store, no private key	ℹ️ INFO	Expected for CA/Root certificates

Private Key Presence Detection

What It Checks:

• Does the certificate have an associated private key?
• Is the private key accessible to the monitoring agent?
• Is the certificate in a store where private keys are expected (Personal/My store)?

Why It Matters:

Certificates in the Personal (My) store are typically used for:

• SSL/TLS server authentication (IIS, web services)
• Client authentication (mTLS, VPN)
• Code signing and email encryption
• Service-to-service authentication

Without a private key, these certificates cannot function for their intended purpose.

Example Scenarios:

✅ OK: Web server certificate with private key
   Store: LocalMachine\My
   Has Private Key: Yes
   Exportable: No
   Key Length: 2048 bits (RSA)

❌ ERROR: Certificate without private key in Personal store
   Store: LocalMachine\My
   Has Private Key: No
   Issue: Cannot be used for SSL/TLS authentication

ℹ️ INFO: Root CA certificate without private key
   Store: LocalMachine\Root
   Has Private Key: No
   Expected: Root certificates don't require private keys

Exportability Security

What It Checks:

• Is the private key marked as exportable?
• Can the key material be extracted from the certificate store?

Why It Matters:

Exportable private keys pose significant security risks:

• Key Theft: Attackers with system access can export and steal private keys
• Unauthorized Duplication: Keys can be copied to other systems without authorization
• Compliance Violations: Many security standards prohibit exportable private keys
• Long-Term Risk: Even if key is never exported, the possibility creates persistent risk

Security Best Practice: Private keys should be non-exportable and hardware-protected when possible (HSM, TPM).

Example Scenarios:

⚠️ WARNING: Exportable private key detected
   Certificate: www.example.com
   Private Key: Exportable
   Risk: Key can be stolen if system is compromised
   Recommendation: Re-issue certificate with non-exportable key

✅ OK: Non-exportable private key
   Certificate: www.example.com
   Private Key: Non-Exportable
   Security: Key cannot be extracted from certificate store

Key Length Validation

What It Checks:

• RSA key length ≥ 2048 bits (default minimum)
• ECDSA key length ≥ 256 bits (default minimum)
• Configurable thresholds via MinimumPrivateKeyLength setting

Why It Matters:

Weak key lengths are vulnerable to:

• Brute Force Attacks: Modern computing power can break keys < 2048 bits
• Quantum Computing Threat: Future quantum computers may break RSA < 4096 bits
• Compliance Requirements: PCI-DSS, NIST, and other standards mandate minimum key lengths

Recommended Key Lengths:

Algorithm	Minimum	Recommended	High Security
RSA	2048 bits	2048 bits	4096 bits
ECDSA	256 bits	256 bits	384 bits
DSA	2048 bits	3072 bits	Deprecated

Example Scenarios:

⚠️ WARNING: Weak RSA key length
   Certificate: legacy.example.com
   Algorithm: RSA
   Key Length: 1024 bits
   Risk: Vulnerable to brute force attacks
   Recommendation: Re-issue with 2048+ bit key

✅ OK: Strong RSA key
   Certificate: www.example.com
   Algorithm: RSA
   Key Length: 2048 bits
   Security: Meets current standards

✅ OK: Strong ECDSA key
   Certificate: api.example.com
   Algorithm: ECDSA (P-256)
   Key Length: 256 bits
   Security: Equivalent to RSA 3072 bits

Certificate Details Display

Private key information is displayed in the certificate Details view:

Private Key Information Section

Private Key Information
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Has Private Key: ✅ Yes
Exportable: ❌ No (Secure)
Key Algorithm: RSA
Key Length: 2048 bits
Key Container: {GUID}
Key Provider: Microsoft Software Key Storage Provider

✅ Private key is secure and accessible

Warning Examples

⚠️ WARNING: Exportable Private Key
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Has Private Key: ✅ Yes
Exportable: ⚠️ Yes (Security Risk)
Key Algorithm: RSA
Key Length: 2048 bits

⚠️ Security Risk: This private key can be exported
Recommendation: Re-issue certificate with non-exportable key

⚠️ WARNING: Weak Key Length
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Has Private Key: ✅ Yes
Exportable: ❌ No
Key Algorithm: RSA
Key Length: 1024 bits (Below minimum: 2048 bits)

⚠️ Security Risk: Key length does not meet current standards
Recommendation: Re-issue certificate with 2048+ bit key

❌ ERROR: Missing Private Key
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Has Private Key: ❌ No
Store Location: LocalMachine\My (Personal)

❌ Critical: Certificate cannot be used without private key
This certificate was likely imported without its private key or
the private key was deleted. Re-import the certificate with its
private key or obtain a new certificate.

Certificate details page showing Private Key Information section with health monitoring data.

Configuration

Configure private key health monitoring via Nodinite web interface or agent configuration file.

Configuration Settings

Setting	Default	Purpose
Monitor Private Key Health	Enabled	Enable/disable private key monitoring
Alert on Missing Private Key	Enabled	ERROR when Personal store cert lacks private key
Alert on Exportable Private Key	Enabled	WARNING when private key is exportable
Minimum Private Key Length	2048 bits	WARNING if RSA key < this length

For detailed configuration options, see Certificate Configuration - Private Key Health.

Testing Private Key Monitoring

Create test certificates to validate private key health monitoring:

Test Scenario 1: Certificate with Secure Private Key (OK)

# Create certificate with non-exportable private key (secure)
$secureCert = New-SelfSignedCertificate `
    -Subject "CN=Secure-Test" `
    -CertStoreLocation "Cert:\LocalMachine\My" `
    -KeyExportPolicy NonExportable `
    -KeyLength 2048
# Expected: OK state - non-exportable, 2048-bit key

Test Scenario 2: Certificate with Exportable Private Key (WARNING)

# Create certificate with exportable private key (security risk)
$exportableCert = New-SelfSignedCertificate `
    -Subject "CN=Exportable-Test" `
    -CertStoreLocation "Cert:\LocalMachine\My" `
    -KeyExportPolicy Exportable `
    -KeyLength 2048
# Expected: WARNING state - exportable private key detected

Test Scenario 3: Certificate with Weak Key Length (WARNING)

# Create certificate with 1024-bit key (weak)
$weakKeyCert = New-SelfSignedCertificate `
    -Subject "CN=WeakKey-Test" `
    -CertStoreLocation "Cert:\LocalMachine\My" `
    -KeyLength 1024
# Expected: WARNING state - key length below 2048 bits

Test Scenario 4: Certificate Without Private Key (ERROR)

# Export certificate without private key
$cert = Get-ChildItem "Cert:\LocalMachine\My" | Select-Object -First 1
Export-Certificate -Cert $cert -FilePath "cert-no-key.cer" -Type CERT

# Import certificate without private key
Import-Certificate -FilePath "cert-no-key.cer" -CertStoreLocation "Cert:\LocalMachine\My"
# Expected: ERROR state - certificate in Personal store without private key

Test Scenario 5: ECDSA Certificate with Strong Key (OK)

# Create ECDSA certificate with P-256 curve (256-bit equivalent)
$ecdsaCert = New-SelfSignedCertificate `
    -Subject "CN=ECDSA-Test" `
    -CertStoreLocation "Cert:\LocalMachine\My" `
    -KeyAlgorithm ECDSA_nistP256 `
    -KeyExportPolicy NonExportable
# Expected: OK state - ECDSA 256-bit key, non-exportable

For comprehensive testing scripts and additional scenarios, see FAQ: Private Key Health.

Security Best Practices

1. Never Use Exportable Keys in Production: Always set -KeyExportPolicy NonExportable when creating certificates
2. Minimum Key Lengths: Use 2048+ bits for RSA, 256+ bits for ECDSA
3. Hardware Security Modules (HSM): Store private keys in HSMs when possible for maximum security
4. Regular Key Rotation: Replace certificates with weak keys during next renewal cycle
5. Monitor Continuously: Enable private key health monitoring on all certificate-bearing servers
6. Audit Exportable Keys: Identify and replace any exportable private keys in production environments
7. Document Exceptions: If exportable keys are required (backup scenarios), document the business justification

Next Step

• Weak Cryptography Detection

Related Topics

• Certificate Monitoring Overview
• Certificate Configuration
• Certificate Remote Actions
• FAQ: Private Key Health