- 10 minutes to read

FAQ - Private Key Health Testing

Validate Private Key Health monitoring with automated PowerShell test scripts covering all detection scenarios - from missing private keys and exportable keys to weak key lengths and modern ECDSA certificates.

What's on This Page:

  • 5 Test Scenarios - Automated PowerShell 7 scripts for Missing Private Keys, Exportable Private Keys, Weak Key Lengths, Healthy Certificates, and ECDSA Certificates
  • Batch Testing Script - Create all test scenarios with configurable flags and error handling
  • Cleanup Script - Remove test certificates after validation testing
  • Validation Checklist - Verify expected monitoring states match actual results
  • Troubleshooting - Resolve testing-specific issues (PowerShell errors, key export validation)

Why Test Private Key Health?

Private key health testing prevents certificate installation errors and security vulnerabilities from causing production outages. Testing ensures monitoring correctly identifies:

  • Missing private keys (ERROR) - Certificates without accessible private keys cannot be used for SSL/TLS
  • ⚠️ Exportable private keys (WARNING) - Security risk where private keys can be extracted
  • ⚠️ Weak key lengths (WARNING) - RSA < 2048 bits or ECDSA < 256 bits below security standards
  • Healthy certificates (OK) - Non-exportable keys with sufficient length
  • ECDSA certificates (OK) - Modern elliptic curve cryptography with strong keys

Related Documentation: See Private Key Health for complete feature documentation, detection examples, and remediation guidance.

Note

These scripts require PowerShell 7+ with Administrator privileges for certificate store access.

Warning

Never deploy test certificates to production environments. Always clean up after validation testing.

Testing Scenarios Overview

# Scenario Purpose Expected State Key Focus
1 Missing Private Key Certificate without accessible private key ERROR Unusable certificate detection
2 Exportable Private Key Private key marked as exportable ⚠️ WARNING Security risk identification
3 Weak Key Length RSA 1024-bit (below 2048-bit minimum) ⚠️ WARNING Cryptographic weakness detection
4 Healthy Certificate Non-exportable 2048-bit RSA key OK Proper certificate validation
5 ECDSA Certificate ECDSA P-256 non-exportable key OK Modern cryptography support

Test Scenario Workflow

graph TD Start[" Start Testing"] --> Config[" Configure Scenarios"] Config --> S1{" Scenario 1<br/>Missing Key"} Config --> S2{" Scenario 2<br/>Exportable Key"} Config --> S3{" Scenario 3<br/>Weak Key"} Config --> S4{" Scenario 4<br/>Healthy Cert"} Config --> S5{" Scenario 5<br/>ECDSA Cert"} S1 --> V1[" Error"] S2 --> V2[" Warning"] S3 --> V3[" Warning"] S4 --> V4[" OK"] S5 --> V5[" OK"] V1 --> Monitor[" Monitor Results"] V2 --> Monitor V3 --> Monitor V4 --> Monitor V5 --> Monitor Monitor --> Validate[" Validate Alerts"] Validate --> Cleanup[" Cleanup Test Certs"] Cleanup --> End[" Testing Complete"] style S1 fill:#ffebee style S2 fill:#fff3e0 style S3 fill:#fff3e0 style S4 fill:#e8f5e9 style S5 fill:#e8f5e9 style V1 fill:#ffcdd2 style V2 fill:#ffe0b2 style V3 fill:#ffe0b2 style V4 fill:#c8e6c9 style V5 fill:#c8e6c9

Diagram: Private key health test workflow showing scenario configuration, expected states, and monitoring verification process with color-coded severity levels.

Test Scenarios

Scenario 1: Certificate Without Private Key

Purpose: Validate ERROR state when certificate has no accessible private key.

Configuration:

Setting Value Rationale
Certificate Type Imported public key only Simulates missing private key
Subject CN=TestCert-NoPrivateKey Identifies test scenario
Store Location Cert:\LocalMachine\My Personal certificate store
Private Key NOT present Certificate unusable for SSL/TLS
Validity Period 1 year Standard test certificate lifetime

Expected Results:

Aspect Value
HasPrivateKey false
State ERROR
Detection Certificate cannot be used for SSL/TLS operations
Alert "Certificate missing private key"
Remediation Re-import certificate with private key OR issue new certificate

Scenario 2: Certificate with Exportable Private Key

Purpose: Validate WARNING state when private key is marked as exportable (security risk).

Configuration:

Setting Value Rationale
Certificate Type Self-signed with exportable private key Creates security risk scenario
Subject CN=TestCert-ExportableKey Identifies test scenario
Store Location Cert:\LocalMachine\My Personal certificate store
Private Key Exportable Security risk: key can be extracted
Key Length 2048-bit RSA Sufficient key length
Validity Period 1 year Standard test certificate lifetime

Expected Results:

Aspect Value
HasPrivateKey true
PrivateKey.Exportable true
State ⚠️ WARNING
Detection Private key can be exported
Alert "Certificate has exportable private key (security risk)"
Remediation Re-issue certificate with non-exportable private key

Scenario 3: Certificate with Weak Key Length

Purpose: Validate WARNING state when RSA key length is below 2048 bits.

Configuration:

Setting Value Rationale
Certificate Type Self-signed with weak key Creates weak crypto scenario
Subject CN=TestCert-WeakKey1024 Identifies test scenario
Store Location Cert:\LocalMachine\My Personal certificate store
Private Key Non-exportable Secure key storage
Key Length 1024-bit RSA Below 2048-bit minimum
Validity Period 1 year Standard test certificate lifetime

Expected Results:

Aspect Value
HasPrivateKey true
KeySize 1024 bits
State ⚠️ WARNING
Detection RSA key length below 2048-bit minimum
Alert "Certificate uses weak key length (1024 bits, minimum 2048)"
Remediation Replace with certificate having 2048-bit or larger RSA key

Scenario 4: Certificate with Secure Private Key

Purpose: Validate OK state when certificate has non-exportable private key with sufficient length.

Configuration:

Setting Value Rationale
Certificate Type Self-signed with secure key Creates healthy scenario
Subject CN=TestCert-HealthyKey2048 Identifies test scenario
Store Location Cert:\LocalMachine\My Personal certificate store
Private Key Non-exportable Secure key storage
Key Length 2048-bit RSA Meets security standards
Validity Period 1 year Standard test certificate lifetime

Expected Results:

Aspect Value
HasPrivateKey true
PrivateKey.Exportable false
KeySize 2048 bits
State OK
Detection Secure private key configuration
Alert None (healthy certificate)

Scenario 5: ECDSA Certificate with Strong Key

Purpose: Validate OK state for modern ECDSA certificates with P-256 curve.

Configuration:

Setting Value Rationale
Certificate Type Self-signed ECDSA certificate Tests elliptic curve support
Subject CN=TestCert-ECDSA-P256 Identifies test scenario
Store Location Cert:\LocalMachine\My Personal certificate store
Private Key Non-exportable Secure key storage
Curve P-256 (secp256r1) Equivalent to RSA 3072-bit security
Key Size 256 bits ECDSA minimum for P-256
Validity Period 1 year Standard test certificate lifetime

ECDSA Properties:

Property Value Security Equivalence
Algorithm ECDSA (Elliptic Curve Digital Signature Algorithm) Modern cryptography
Curve P-256 (NIST secp256r1) Industry standard
Key Size 256 bits Equivalent to RSA 3072-bit
Performance Faster signing/verification Lower CPU overhead
Certificate Size Smaller than RSA Reduced network overhead

ECDSA Advantages:

  • Smaller key size - 256-bit ECDSA provides equivalent security to 3072-bit RSA
  • Faster operations - Signing and verification are computationally more efficient
  • Lower overhead - Smaller certificate size reduces TLS handshake time
  • Modern standard - Widely supported by browsers, servers, and cryptographic libraries

Expected Results:

Aspect Value
HasPrivateKey true
PrivateKey.Exportable false
Algorithm ECDSA
Curve P-256 (secp256r1)
KeySize 256 bits
State OK
Detection Strong ECDSA key with secure curve
Alert None (healthy modern certificate)

Batch Testing Script

Purpose: Create all 5 test scenarios with a single PowerShell script.

# Private Key Health Testing - Batch Script
# Creates all 5 test scenarios for private key health monitoring
#
# Requires: PowerShell 7+, Administrator privileges
# Usage: .\Test-PrivateKeyHealth.ps1 -Scenarios 1,2,3,4,5

param(
    [int[]]$Scenarios = @(1,2,3,4,5),  # Which scenarios to create
    [switch]$Verbose                      # Show detailed output
)

Write-Host "=" * 70 -ForegroundColor Cyan
Write-Host "Private Key Health Test Suite" -ForegroundColor Cyan
Write-Host "=" * 70 -ForegroundColor Cyan
Write-Host ""

# Scenario 1: Missing Private Key
if (1 -in $Scenarios) {
    Write-Host "[1/5] Creating Missing Private Key scenario..." -ForegroundColor Yellow
    
    # Create certificate with private key
    $tempCert = New-SelfSignedCertificate `
        -Subject "CN=TestCert-NoPrivateKey, O=Nodinite Private Key Testing" `
        -CertStoreLocation Cert:\LocalMachine\My `
        -KeyLength 2048 -NotAfter (Get-Date).AddYears(1)
    
    # Export public key only
    $certPath = "$env:TEMP\NoPrivateKey.cer"
    Export-Certificate -Cert $tempCert -FilePath $certPath -Force | Out-Null
    
    # Remove certificate with private key
    Remove-Item "Cert:\LocalMachine\My\$($tempCert.Thumbprint)" -Force
    
    # Re-import public key only (no private key)
    $cert1 = Import-Certificate -FilePath $certPath -CertStoreLocation Cert:\LocalMachine\My
    Remove-Item $certPath -Force
    
    Write-Host "  ✓ Created: $($cert1.Thumbprint) (NO private key)" -ForegroundColor Green
}

# Scenario 2: Exportable Private Key
if (2 -in $Scenarios) {
    Write-Host "[2/5] Creating Exportable Private Key scenario..." -ForegroundColor Yellow
    $cert2 = New-SelfSignedCertificate `
        -Subject "CN=TestCert-ExportableKey, O=Nodinite Private Key Testing" `
        -CertStoreLocation Cert:\LocalMachine\My `
        -KeyLength 2048 -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(1)
    Write-Host "  ✓ Created: $($cert2.Thumbprint) (EXPORTABLE private key)" -ForegroundColor Green
}

# Scenario 3: Weak Key Length (1024-bit RSA)
if (3 -in $Scenarios) {
    Write-Host "[3/5] Creating Weak Key Length scenario (1024-bit)..." -ForegroundColor Yellow
    $cert3 = New-SelfSignedCertificate `
        -Subject "CN=TestCert-WeakKey1024, O=Nodinite Private Key Testing" `
        -CertStoreLocation Cert:\LocalMachine\My `
        -KeyLength 1024 -KeyExportPolicy NonExportable -NotAfter (Get-Date).AddYears(1)
    Write-Host "  ✓ Created: $($cert3.Thumbprint) (1024-bit RSA key)" -ForegroundColor Green
}

# Scenario 4: Healthy Certificate (2048-bit RSA, non-exportable)
if (4 -in $Scenarios) {
    Write-Host "[4/5] Creating Healthy Certificate scenario (2048-bit)..." -ForegroundColor Yellow
    $cert4 = New-SelfSignedCertificate `
        -Subject "CN=TestCert-HealthyKey2048, O=Nodinite Private Key Testing" `
        -CertStoreLocation Cert:\LocalMachine\My `
        -KeyLength 2048 -KeyExportPolicy NonExportable -NotAfter (Get-Date).AddYears(1)
    Write-Host "  ✓ Created: $($cert4.Thumbprint) (2048-bit RSA, non-exportable)" -ForegroundColor Green
}

# Scenario 5: ECDSA Certificate (P-256, non-exportable)
if (5 -in $Scenarios) {
    Write-Host "[5/5] Creating ECDSA Certificate scenario (P-256)..." -ForegroundColor Yellow
    $cert5 = New-SelfSignedCertificate `
        -Subject "CN=TestCert-ECDSA-P256, O=Nodinite Private Key Testing" `
        -CertStoreLocation Cert:\LocalMachine\My `
        -KeyAlgorithm ECDSA_secp256r1 `
        -KeyExportPolicy NonExportable -NotAfter (Get-Date).AddYears(1)
    Write-Host "  ✓ Created: $($cert5.Thumbprint) (ECDSA P-256, non-exportable)" -ForegroundColor Green
}

Write-Host ""
Write-Host "=" * 70 -ForegroundColor Cyan
Write-Host "Test certificate creation complete!" -ForegroundColor Green
Write-Host "Next: Monitor results in Nodinite Web Client" -ForegroundColor Cyan
Write-Host "=" * 70 -ForegroundColor Cyan

Cleanup Script

Purpose: Remove all test certificates after validation testing.

# Private Key Health Cleanup Script
# Removes all test certificates created by the batch testing script
#
# Requires: PowerShell 7+, Administrator privileges
# Usage: .\Cleanup-PrivateKeyHealth.ps1

Write-Host "Removing Private Key Health test certificates..." -ForegroundColor Cyan

# Find and remove test certificates
$testCerts = Get-ChildItem Cert:\LocalMachine\My | Where-Object {
    $_.Subject -like "*Nodinite Private Key Testing*" -or
    $_.Subject -like "CN=TestCert-NoPrivateKey*" -or
    $_.Subject -like "CN=TestCert-ExportableKey*" -or
    $_.Subject -like "CN=TestCert-WeakKey*" -or
    $_.Subject -like "CN=TestCert-HealthyKey*" -or
    $_.Subject -like "CN=TestCert-ECDSA*"
}

if ($testCerts.Count -eq 0) {
    Write-Host "No test certificates found." -ForegroundColor Yellow
} else {
    Write-Host "Found $($testCerts.Count) test certificate(s)" -ForegroundColor White
    foreach ($cert in $testCerts) {
        Write-Host "  Removing: $($cert.Subject) [$($cert.Thumbprint)]" -ForegroundColor Gray
        Remove-Item "Cert:\LocalMachine\My\$($cert.Thumbprint)" -Force
    }
    Write-Host "✓ Cleanup complete!" -ForegroundColor Green
}

Private Key Health Verification

After creating test certificates, verify Nodinite monitoring detects private key issues correctly:

  1. Wait for discovery - Allow 1-2 synchronization cycles (5-10 minutes default)
  2. Check Web Client - Navigate to Windows Server certificate monitoring
  3. Verify states - Confirm each test certificate shows expected state (Error/Warning/OK)
  4. Check inline errors - Expand private key health details to see specific issues
  5. Test alerts - If enabled, verify alerts triggered for configured error types

Expected Timeline:

Time Event
T+0 Test certificates created
T+5 min First synchronization cycle discovers certificates
T+5 min Private key health validation executes, errors detected
T+5 min Alerts generated (if enabled)
T+10 min Results visible in Web Client

Frequently Asked Questions

Q: Why do I get script errors when running the PowerShell test scripts?
A: These scripts require PowerShell 7 or later with Administrator privileges. Verify your PowerShell version by running $PSVersionTable.PSVersion - it should show 7.x or higher. PowerShell 5.1 (Windows PowerShell) has limitations with certificate key export policies. Download PowerShell 7+ from Microsoft's official site. Additionally, certificate operations require Administrator rights to access Cert:\LocalMachine stores.

Q: How do I validate Private Key Health monitoring with Nodinite?
A: Run the Batch Testing Script (see section above) on your Windows Server to create test scenarios for Missing Private Keys, Exportable Private Keys, Weak Key Lengths, Healthy Certificates, and ECDSA Certificates. The Nodinite monitoring agent will automatically discover these certificates during its next synchronization cycle and validate their private key health according to configured policies. Review the monitoring results in the Nodinite Web Client to verify each certificate shows the expected private key health state with inline error diagnostics.

Q: How do I enable Private Key Health monitoring in Nodinite?
A: Enable private key health validation in the Windows Server Monitoring Agent configuration. See the comprehensive Certificate Configuration guide for step-by-step instructions on enabling validation, configuring alert preferences for missing keys and exportable keys, setting minimum key length thresholds (RSA 2048-bit, ECDSA 256-bit), and adjusting cache duration for performance optimization.

Next Steps

Run Private Key Health Test Scripts - Execute batch testing scenarios
Verify Private Key Health Validation - Confirm expected error categorization
Clean Up Test Certificates - Remove test certificates after validation

Private Key Health
Certificate Configuration
FAQ: Certificate Purpose and EKU Testing
FAQ: Weak Cryptography Testing