Certificate Remote Actions

Manage X509 certificates and IIS HTTPS bindings directly from Nodinite with remote actions for viewing details, editing thresholds, and performing remediation operations.

Available Remote Actions

Remote actions are available from resource context menus in Monitor Views and dashboard resources.

Certificate Store Actions

Available on Store category resources (summary/rollup views):

Action	Purpose	What You See
Edit Store Thresholds	Modify global warning/error days before expiration	Warning/Error threshold inputs, Save/Cancel buttons
List Expired Certificates	View all expired certificates from selected store	Paginated list: Friendly Name, Issuer, Subject, Expiration Date, Days Expired

Edit Store Thresholds

Modify global certificate expiration thresholds that apply to all certificates without specific overrides:

Store: [LocalMachine ▼]
Warning Days Before Expiration: [30] days
Error Days Before Expiration: [7] days
[Save] [Cancel]

Effects:

• Applies to all certificates in selected store
• Certificate-specific thresholds override these settings
• Changes take effect immediately on next monitoring cycle

List Expired Certificates

View comprehensive list of expired certificates for quick remediation:

Expired Certificates in LocalMachine\My (12 total)
[Search...] [Export]

| Friendly Name | Issued By | Subject | Expired On | Days Expired | Action |
|---|---|---|---|---|---|
| WebServer-2024 | Contoso Internal CA | www.example.com | 2025-10-15 | 31 days | [View] [Replace] |
| Exchange Server | Contoso Internal CA | mail.example.com | 2025-10-10 | 36 days | [View] [Renew] |

Certificate Resource Actions

Available on individual certificate resources (LocalMachine, CurrentUser categories):

Action	Purpose	Information Displayed
View Details	Display comprehensive certificate information	All certificate properties and validation results
Edit Thresholds	Override global thresholds for this certificate	Specific warning/error days, Save/Cancel
Manage IIS Bindings	View and remediate IIS binding issues (Phase 5)	Binding details, hostname matching, renewal status

View Certificate Details

Comprehensive certificate information including all security assessment data:

Basic Information:

• Friendly Name / Display Name
• Subject Name
• Issuer Name (Issued By)
• Serial Number
• Thumbprint (SHA-1)

Validity Period:

• Valid From (Issue Date)
• Valid Until (Expiration Date)
• Days Until Expiration
• Days Since Issue

Cryptographic Information:

• Signature Algorithm (e.g., SHA256RSA)
• Public Key Algorithm (RSA/ECDSA)
• Public Key Size (bits)
• Hash Algorithm
• Phase 2 Alert: If using SHA-1 or MD5, security warning displayed

Private Key Information (Phase 1):

• Private Key Present: Yes / No
• Private Key Exportable: Yes / No / Unknown
• Private Key Size (bits)
• Phase 1 Alert: If missing or exportable, security warning displayed

Certificate Chain (Phase 3):

• Chain Validation Status: OK / Partial Chain / Untrusted Root / Other Issues
• Chain Details:
  • Leaf Certificate
  • Intermediate CA (if applicable)
  • Root CA
• Phase 3 Alert: Specific chain validation errors with remediation steps

Certificate Purpose & Usage (Phase 4):

• Server Authentication (SSL/TLS)
• Client Authentication (mTLS)
• Code Signing
• Key Encipherment
• Digital Signature
• Phase 4 Alert: If multi-purpose or any-purpose, warning displayed

IIS Binding Status (Phase 5):

• IIS Binding Present: Yes / No
• Binding Details:
  • IIS Site Name
  • Binding Hostname
  • Port (443 for HTTPS)
  • SNI Enabled: Yes / No
• Hostname Verification:
  • Binding Hostname: www.example.com
  • Certificate Subject: www.example.com
  • Alternate Names (SAN): www.example.com, example.com, *.example.com
  • Match Status: ✅ Exact Match / ⚠️ Wildcard Match / ❌ No Match
• Phase 5 Alert: If mismatch or stale binding, warning displayed

Edit Certificate-Specific Thresholds

Override global thresholds for high-priority certificates:

Certificate: "www.example.com - Issued By: Contoso Internal CA"
Override Global Thresholds: [✓ Checked]

Warning Days Before Expiration: [60] days
Error Days Before Expiration: [14] days

[Save] [Cancel] [Revert to Global]

Use Cases:

• Critical Production Certs: Set aggressive thresholds (60/14 days)
• Standard Services: Use global thresholds (30/7 days)
• Development Certs: Set relaxed thresholds (7/1 day)

Manage IIS Bindings

View and manage IIS HTTPS bindings for the certificate (Phase 5 action):

Binding Summary:

Certificate Status: ✅ Valid (31 days remaining)

IIS Bindings Using This Certificate:
┌─────────────────────────────────────────────────────────────┐
│ Binding 1: WebServer (Port 443)                             │
│ Hostname: www.example.com                                   │
│ Match Status: ✅ Exact Match                                │
│ SNI Enabled: Yes                                            │
│ Action: [Binding Details] [Renewal Status]                 │
├─────────────────────────────────────────────────────────────┤
│ Binding 2: WebServer (Port 443)                             │
│ Hostname: api.example.com                                   │
│ Match Status: ⚠️ Wildcard Match (cert: *.example.com)       │
│ SNI Enabled: Yes                                            │
│ Action: [Binding Details] [Renewal Status]                 │
└─────────────────────────────────────────────────────────────┘

Binding Remediation Actions:

For bindings with issues:

Issue	Action	Effect
Binding hostname mismatch	Update Certificate	Assist in finding/selecting correct certificate
Expired certificate in binding	Update Binding	Update binding to new certificate
Stale binding (old cert still in use)	Replace with New Certificate	Update binding to renewed certificate
Missing certificate in binding	View Error Details	Show specific error and remediation steps

Renewal Status:

Certificate Renewal Timeline:
Current Cert: Valid until 2025-12-20 (31 days)
Warning Threshold: 30 days → Expires 2025-11-20
Renewal Recommended: Around 2025-10-15 (45 days before expiration)

Renewal Status:
☐ New certificate already created
☐ Ready to replace binding
☐ No renewal planned yet

Bulk Operations

Perform actions on multiple certificates at once:

List All Expired Certificates (By Store)

Generate report of expired certificates for remediation planning:

Expired Certificates Report
Generated: 2025-10-29 10:30 UTC
Server: WEB-SERVER-01

LocalMachine\My Store (12 expired):
1. www.example.com - Expired 31 days ago
2. mail.example.com - Expired 36 days ago
3. api.example.com - Expired 5 days ago
... (9 more)

CurrentUser\My Store (0 expired)

Service Account (AppPool1) Store (2 expired):
1. sql-server-cert - Expired 8 days ago
2. app-service-cert - Expired 12 days ago

Total Expired: 14 certificates
Estimated Renewal Effort: 3-4 hours (manual remediation)

Export Certificate List

Export CSV for spreadsheet analysis and compliance reporting:

Friendly Name,Issued By,Subject,Valid From,Valid Until,Days Until Expiration,Private Key,IIS Binding,Binding Hostname,Hostname Match,State
WebServer-2024,Contoso Internal CA,www.example.com,2024-10-29,2025-10-29,0,Yes,Yes,www.example.com,Exact,ERROR
API-Server-2024,Contoso Internal CA,api.example.com,2024-10-29,2025-10-29,0,Yes,Yes,api.example.com,Exact,ERROR

Common Workflows

Workflow 1: Renew Expiring Certificate

Scenario: Certificate showing warning (expires in 30 days)

1. Open Nodinite Monitor View → Certificate resource showing WARNING
2. Click View Details
3. Review current certificate info and expiration date
4. Generate new certificate from CA:
   • Use same hostname/SAN as current certificate
   • Use same key algorithm and size (RSA 2048 or better)
   • Ensure proper certificate purpose (Server Auth for IIS)
5. Install new certificate in certificate store
6. If IIS binding: Use Manage IIS Bindings → Replace with New Certificate
7. Verify new certificate now shows as OK with ~365 days remaining
8. Archive old certificate reference for compliance records

Workflow 2: Fix Hostname Mismatch in IIS Binding

Scenario: IIS binding shows warning "Hostname doesn't match certificate"

1. Open Nodinite Monitor View → Certificate showing WARNING
2. Click View Details
3. Review IIS Bindings section → Locate binding with mismatch
4. Options to fix:
   • Option A: Update binding to use correct certificate (if exists)
     • Click Manage IIS Bindings → Update Certificate
     • Select certificate matching binding hostname
   • Option B: Request new certificate for binding hostname
     • Note binding hostname requirement
     • Request new certificate from CA
     • Follow "Renew Expiring Certificate" workflow above
5. After fix, verify binding now shows ✅ Exact Match

Workflow 3: Audit All IIS Bindings

Scenario: Verify all IIS binding certificates are valid and match hostnames

1. Open Nodinite Monitor View → Filter by Category: "Local Machine"
2. Review all LocalMachine certificate resources
3. For each certificate, click View Details
4. Check "IIS Binding Status" section for:
   • ✅ All bindings present: Yes
   • ✅ Hostname verification: Exact or Wildcard match
   • ✅ SNI enabled: Yes (recommended)
5. Note any resources with ⚠️ warnings:
   • Hostname mismatch → Follow Workflow 2
   • Stale binding → Replace with new certificate
   • Expiring soon → Initiate renewal (Workflow 1)
6. Export certificate list for compliance records

Workflow 4: Replace Certificates After Renewal

Scenario: Certificate renewed, need to update IIS binding to use new one

1. Verify new certificate installed in certificate store
2. Open old certificate details:
   • Click old certificate in Monitor View
   • Click View Details
3. In IIS Bindings section, click Manage IIS Bindings
4. Click Replace with New Certificate
5. System shows:
   • Current certificate in binding
   • New certificate available (matching hostname)
   • Option to perform replacement
6. Click Confirm Replacement
7. IIS binding updated to use new certificate
8. Verify new certificate now shows:
   • ✅ OK state
   • ~365 days until expiration
   • IIS binding listed with new certificate

Information Display

Remote action results display with relevant context:

Success Messages

✓ Certificate Thresholds Updated
Configuration saved and will take effect on next monitoring cycle.

Warning: 60 days before expiration
Error: 14 days before expiration

Warning Messages

⚠️ Certificate Expiring Soon (14 days remaining)
Consider scheduling renewal immediately.
Current expiration: 2025-11-12
Recommended renewal by: 2025-10-28

Error Messages

❌ IIS Binding Hostname Mismatch
Binding hostname 'api.example.com' does not match certificate 'www.example.com'
Affected IIS Site: 'WebServer'
Resolution: Update binding to use matching certificate or request new certificate for 'api.example.com'

Next Step

• Certificate Monitoring Features

Related Topics

• Certificate Configuration
• Certificate Overview
• FAQ: IIS Functionality Testing