- 11 minutes to read

FAQ: Certificate Revocation Testing Scenarios

PowerShell 7+ Required - These scenarios use PowerShell 7 certificate management features.

Testing Only - Do NOT run these scripts in production environments. Test certificates are created for validation purposes only.

Certificate Revocation Purpose Validation
Example of the certificate revocation status validation interface displaying OK, WARNING, and ERROR states based on CRL/OCSP availability in Nodinite Windows Server monitoring.

Testing Scenarios Overview

# Scenario Purpose Expected State Key Focus
1 Valid Revocation Check Verify successful revocation validation with accessible CRL/OCSP ✅ OK Normal operation with valid revocation
2 Unknown Revocation Status Test detection when CRL/OCSP endpoints are unreachable ⚠️ WARNING RevocationStatusUnknown detection
3 Offline Revocation Service Simulate revocation service temporarily offline ⚠️ WARNING OfflineRevocation detection
4 Simulated Revoked Certificate Create self-signed cert representing revoked state ❌ ERROR Revoked certificate detection
5 SkipRevocationCheck Override Test per-certificate revocation check bypass ✅ OK Configuration override validation
6 Missing Revocation Extensions Certificate without CRL/OCSP extensions ⚠️ WARNING No revocation infrastructure

Revocation Testing Workflow

graph TD Start([Start Testing]) --> Config[Configure Scenarios] Config --> S1[Scenario 1:<br/>Valid Revocation] Config --> S2[Scenario 2:<br/>Unknown Status] Config --> S3[Scenario 3:<br/>Offline Service] Config --> S4[Scenario 4:<br/>Simulated Revoked] Config --> S5[Scenario 5:<br/>Skip Check Override] Config --> S6[Scenario 6:<br/>Missing Extensions] S1 --> Monitor[Monitor in :Nodinite:] S2 --> Monitor S3 --> Monitor S4 --> Monitor S5 --> Monitor S6 --> Monitor Monitor --> V1[✅ Valid:<br/>OK State] Monitor --> V2[⚠️ Unknown:<br/>WARNING State] Monitor --> V3[⚠️ Offline:<br/>WARNING State] Monitor --> V4[❌ Revoked:<br/>ERROR State] Monitor --> V5[✅ Skip Check:<br/>OK State] Monitor --> V6[⚠️ No Extensions:<br/>WARNING State] V1 --> Validate[Validate Results] V2 --> Validate V3 --> Validate V4 --> Validate V5 --> Validate V6 --> Validate Validate --> Cleanup[Run Cleanup Script] Cleanup --> End([Testing Complete]) style Start fill:#e3f2fd style Config fill:#e1f5fe style S1 fill:#e3f2fd style S2 fill:#fff3e0 style S3 fill:#fff3e0 style S4 fill:#ffebee style S5 fill:#e3f2fd style S6 fill:#fff3e0 style Monitor fill:#e1bee7 style V1 fill:#c8e6c9 style V2 fill:#ffe0b2 style V3 fill:#ffe0b2 style V4 fill:#ffcdd2 style V5 fill:#c8e6c9 style V6 fill:#ffe0b2 style Validate fill:#b3e5fc style Cleanup fill:#f5f5f5 style End fill:#e3f2fd

Test Scenarios

Scenario 1: Valid Revocation Check

Purpose: Verify successful revocation validation when CRL/OCSP endpoints are accessible (simulated with self-signed certificate).

Configuration:

  • Certificate Type: Self-signed with CRL extension (simulated)
  • CRL Distribution Point: None (self-signed, trusted root)
  • Store: Local Machine\My
  • Expected State: ✅ OK

Validation Points:

  • Self-signed certificate validates without revocation check (no CRL infrastructure)
  • Certificate shows as valid in Nodinite
  • No revocation warnings generated

Scenario 2: Unknown Revocation Status

Purpose: Test detection of RevocationStatusUnknown when CRL/OCSP endpoints cannot be reached.

Configuration:

  • Certificate Type: Self-signed with invalid CRL URL
  • CRL Distribution Point: http://invalid.example.com/crl (unreachable)
  • Store: Local Machine\My
  • Expected State: ⚠️ WARNING

Validation Points:

  • Cannot determine revocation status (CRL URL unreachable)
  • Generates RevocationStatusUnknown warning
  • Certificate still usable but revocation cannot be verified

Scenario 3: Offline Revocation Service

Purpose: Simulate revocation service temporarily offline or experiencing connectivity issues.

Configuration:

  • Certificate Type: Self-signed with CRL extension pointing to localhost
  • CRL Distribution Point: http://127.0.0.1:9999/crl (port not listening)
  • Store: Local Machine\My
  • Expected State: ⚠️ WARNING

Validation Points:

  • Revocation service connection refused or timeout
  • Generates OfflineRevocation warning
  • Indicates transient connectivity issue

Scenario 4: Simulated Revoked Certificate

Purpose: Create certificate representing a revoked state (note: cannot actually revoke self-signed certs).

Configuration:

  • Certificate Type: Self-signed with "Revoked" in Subject for identification
  • Validation Method: Cannot truly revoke self-signed (requires CA infrastructure)
  • Store: Local Machine\My
  • Expected State: ✅ OK (limitation: self-signed)

Validation Points:

  • Self-signed certificates cannot be truly revoked (no CA)
  • This scenario demonstrates naming convention only
  • Real revoked certificates require CA-issued certs with CRL/OCSP

Scenario 5: SkipRevocationCheck Override

Purpose: Test per-certificate revocation check bypass configuration.

Configuration:

  • Certificate Type: Self-signed
  • SkipRevocationCheck: True (configured in Nodinite)
  • Store: Local Machine\My
  • Expected State: ✅ OK

Validation Points:

  • Revocation checking skipped for this certificate
  • No RevocationStatusUnknown warnings generated
  • Configuration override works correctly

Scenario 6: Missing Revocation Extensions

Purpose: Test certificate without CRL Distribution Point or OCSP extensions.

Configuration:

  • Certificate Type: Self-signed without revocation extensions
  • CRL Distribution Point: None
  • OCSP Responder: None
  • Store: Local Machine\My
  • Expected State: ⚠️ WARNING

Validation Points:

  • Certificate lacks revocation infrastructure
  • No CRL or OCSP endpoints to query
  • Warning indicates no revocation validation possible

Batch Testing Script

Run all revocation test scenarios in a single batch operation. Configure which scenarios to create using the $scenarios hashtable.

# ============================================
# Certificate Revocation Testing - Batch Creation Script
# ============================================
# PowerShell 7+ Required
# Run as Administrator
# ============================================

# Configure which scenarios to create (set $false to skip)
$scenarios = @{
    ValidRevocation = $true        # Scenario 1: Valid revocation check
    UnknownStatus = $true           # Scenario 2: Unknown revocation status
    OfflineService = $true          # Scenario 3: Offline revocation service
    SimulatedRevoked = $true        # Scenario 4: Simulated revoked certificate
    SkipCheck = $true               # Scenario 5: SkipRevocationCheck override
    MissingExtensions = $true       # Scenario 6: Missing revocation extensions
}

$certificates = @()
$store = "Cert:\LocalMachine\My"

Write-Host "`n================================" -ForegroundColor Cyan
Write-Host "Certificate Revocation Testing" -ForegroundColor Cyan
Write-Host "================================`n" -ForegroundColor Cyan

# ============================================
# Scenario 1: Valid Revocation Check
# ============================================
if ($scenarios.ValidRevocation) {
    Write-Host "[Scenario 1] Creating Valid Revocation Check certificate..." -ForegroundColor Yellow
    
    try {
        $cert1 = New-SelfSignedCertificate `
            -Subject "CN=Nodinite-Test-ValidRevocation, O=Nodinite Testing, OU=Revocation Tests" `
            -CertStoreLocation $store `
            -KeyLength 2048 `
            -KeyAlgorithm RSA `
            -KeyUsage DigitalSignature, KeyEncipherment `
            -NotAfter (Get-Date).AddYears(1)
        
        $certificates += @{
            Name = "Scenario 1: Valid Revocation Check"
            Thumbprint = $cert1.Thumbprint
            Store = "LocalMachine\My"
            ExpectedState = "OK (self-signed, no revocation check)"
        }
        
        Write-Host "  ✓ Created: $($cert1.Thumbprint)" -ForegroundColor Green
        Write-Host "  Expected: OK (self-signed certificate, no CRL infrastructure)" -ForegroundColor Green
    }
    catch {
        Write-Host "  ✗ Failed: $($_.Exception.Message)" -ForegroundColor Red
    }
}

# ============================================
# Scenario 2: Unknown Revocation Status
# ============================================
if ($scenarios.UnknownStatus) {
    Write-Host "`n[Scenario 2] Creating Unknown Revocation Status certificate..." -ForegroundColor Yellow
    
    try {
        # Note: New-SelfSignedCertificate doesn't support custom CRL extensions directly
        # This creates a certificate that would generate RevocationStatusUnknown if it had CRL extension
        $cert2 = New-SelfSignedCertificate `
            -Subject "CN=Nodinite-Test-UnknownStatus, O=Nodinite Testing, OU=Revocation Tests" `
            -CertStoreLocation $store `
            -KeyLength 2048 `
            -KeyAlgorithm RSA `
            -KeyUsage DigitalSignature, KeyEncipherment `
            -NotAfter (Get-Date).AddYears(1)
        
        $certificates += @{
            Name = "Scenario 2: Unknown Revocation Status"
            Thumbprint = $cert2.Thumbprint
            Store = "LocalMachine\My"
            ExpectedState = "WARNING (simulated - no CRL URL)"
        }
        
        Write-Host "  ✓ Created: $($cert2.Thumbprint)" -ForegroundColor Green
        Write-Host "  Expected: WARNING (RevocationStatusUnknown if CRL extension present)" -ForegroundColor Yellow
        Write-Host "  Note: Self-signed certs don't have CRL extensions by default" -ForegroundColor Gray
    }
    catch {
        Write-Host "  ✗ Failed: $($_.Exception.Message)" -ForegroundColor Red
    }
}

# ============================================
# Scenario 3: Offline Revocation Service
# ============================================
if ($scenarios.OfflineService) {
    Write-Host "`n[Scenario 3] Creating Offline Revocation Service certificate..." -ForegroundColor Yellow
    
    try {
        $cert3 = New-SelfSignedCertificate `
            -Subject "CN=Nodinite-Test-OfflineService, O=Nodinite Testing, OU=Revocation Tests" `
            -CertStoreLocation $store `
            -KeyLength 2048 `
            -KeyAlgorithm RSA `
            -KeyUsage DigitalSignature, KeyEncipherment `
            -NotAfter (Get-Date).AddYears(1)
        
        $certificates += @{
            Name = "Scenario 3: Offline Revocation Service"
            Thumbprint = $cert3.Thumbprint
            Store = "LocalMachine\My"
            ExpectedState = "WARNING (simulated)"
        }
        
        Write-Host "  ✓ Created: $($cert3.Thumbprint)" -ForegroundColor Green
        Write-Host "  Expected: WARNING (OfflineRevocation if CRL service offline)" -ForegroundColor Yellow
        Write-Host "  Note: Requires CA-issued cert with CRL endpoint to test properly" -ForegroundColor Gray
    }
    catch {
        Write-Host "  ✗ Failed: $($_.Exception.Message)" -ForegroundColor Red
    }
}

# ============================================
# Scenario 4: Simulated Revoked Certificate
# ============================================
if ($scenarios.SimulatedRevoked) {
    Write-Host "`n[Scenario 4] Creating Simulated Revoked certificate..." -ForegroundColor Yellow
    
    try {
        $cert4 = New-SelfSignedCertificate `
            -Subject "CN=Nodinite-Test-RevokedCert, O=Nodinite Testing, OU=Revocation Tests" `
            -CertStoreLocation $store `
            -KeyLength 2048 `
            -KeyAlgorithm RSA `
            -KeyUsage DigitalSignature, KeyEncipherment `
            -NotAfter (Get-Date).AddYears(1)
        
        $certificates += @{
            Name = "Scenario 4: Simulated Revoked Certificate"
            Thumbprint = $cert4.Thumbprint
            Store = "LocalMachine\My"
            ExpectedState = "OK (cannot revoke self-signed)"
        }
        
        Write-Host "  ✓ Created: $($cert4.Thumbprint)" -ForegroundColor Green
        Write-Host "  Expected: OK (self-signed certs cannot be truly revoked)" -ForegroundColor Yellow
        Write-Host "  Note: Real revoked state requires CA-issued certificate" -ForegroundColor Gray
    }
    catch {
        Write-Host "  ✗ Failed: $($_.Exception.Message)" -ForegroundColor Red
    }
}

# ============================================
# Scenario 5: SkipRevocationCheck Override
# ============================================
if ($scenarios.SkipCheck) {
    Write-Host "`n[Scenario 5] Creating SkipRevocationCheck Override certificate..." -ForegroundColor Yellow
    
    try {
        $cert5 = New-SelfSignedCertificate `
            -Subject "CN=Nodinite-Test-SkipCheck, O=Nodinite Testing, OU=Revocation Tests" `
            -CertStoreLocation $store `
            -KeyLength 2048 `
            -KeyAlgorithm RSA `
            -KeyUsage DigitalSignature, KeyEncipherment `
            -NotAfter (Get-Date).AddYears(1)
        
        $certificates += @{
            Name = "Scenario 5: SkipRevocationCheck Override"
            Thumbprint = $cert5.Thumbprint
            Store = "LocalMachine\My"
            ExpectedState = "OK (configure SkipRevocationCheck=true in :Nodinite:)"
        }
        
        Write-Host "  ✓ Created: $($cert5.Thumbprint)" -ForegroundColor Green
        Write-Host "  Expected: OK (after setting SkipRevocationCheck=true)" -ForegroundColor Green
        Write-Host "  Action Required: Set SkipRevocationCheck=true in :Nodinite: for this cert" -ForegroundColor Cyan
    }
    catch {
        Write-Host "  ✗ Failed: $($_.Exception.Message)" -ForegroundColor Red
    }
}

# ============================================
# Scenario 6: Missing Revocation Extensions
# ============================================
if ($scenarios.MissingExtensions) {
    Write-Host "`n[Scenario 6] Creating Missing Revocation Extensions certificate..." -ForegroundColor Yellow
    
    try {
        $cert6 = New-SelfSignedCertificate `
            -Subject "CN=Nodinite-Test-NoExtensions, O=Nodinite Testing, OU=Revocation Tests" `
            -CertStoreLocation $store `
            -KeyLength 2048 `
            -KeyAlgorithm RSA `
            -KeyUsage DigitalSignature, KeyEncipherment `
            -NotAfter (Get-Date).AddYears(1)
        
        $certificates += @{
            Name = "Scenario 6: Missing Revocation Extensions"
            Thumbprint = $cert6.Thumbprint
            Store = "LocalMachine\My"
            ExpectedState = "WARNING (no CRL/OCSP extensions)"
        }
        
        Write-Host "  ✓ Created: $($cert6.Thumbprint)" -ForegroundColor Green
        Write-Host "  Expected: WARNING (certificate lacks revocation extensions)" -ForegroundColor Yellow
        Write-Host "  Note: Self-signed certificates typically lack CRL/OCSP extensions" -ForegroundColor Gray
    }
    catch {
        Write-Host "  ✗ Failed: $($_.Exception.Message)" -ForegroundColor Red
    }
}

# ============================================
# Summary
# ============================================
Write-Host "`n================================" -ForegroundColor Cyan
Write-Host "Certificate Creation Summary" -ForegroundColor Cyan
Write-Host "================================`n" -ForegroundColor Cyan

if ($certificates.Count -gt 0) {
    Write-Host "Created $($certificates.Count) test certificate(s):`n" -ForegroundColor Green
    
    foreach ($cert in $certificates) {
        Write-Host "Certificate: $($cert.Name)" -ForegroundColor White
        Write-Host "  Thumbprint: $($cert.Thumbprint)" -ForegroundColor Gray
        Write-Host "  Store: $($cert.Store)" -ForegroundColor Gray
        Write-Host "  Expected State: $($cert.ExpectedState)" -ForegroundColor Cyan
        Write-Host ""
    }
    
    Write-Host "Next Steps:" -ForegroundColor Yellow
    Write-Host "1. Wait for :Nodinite: Windows Server Agent to discover certificates (or force sync)" -ForegroundColor White
    Write-Host "2. For Scenario 5: Set SkipRevocationCheck=true on 'Nodinite-Test-SkipCheck' certificate" -ForegroundColor White
    Write-Host "3. Verify each certificate shows expected state in :Nodinite: Monitor Views" -ForegroundColor White
    Write-Host "4. Check revocation status details in certificate properties" -ForegroundColor White
    Write-Host "5. Run cleanup script when testing complete`n" -ForegroundColor White
} else {
    Write-Host "No certificates were created (all scenarios disabled)`n" -ForegroundColor Yellow
}

Write-Host "Important Notes:" -ForegroundColor Yellow
Write-Host "• Self-signed certificates have limitations for revocation testing" -ForegroundColor Gray
Write-Host "• True revocation states require CA-issued certificates with CRL/OCSP infrastructure" -ForegroundColor Gray
Write-Host "• These scenarios demonstrate naming and configuration patterns" -ForegroundColor Gray
Write-Host "• For comprehensive testing, use CA-issued certificates in test environment`n" -ForegroundColor Gray

Cleanup Script

Remove all test certificates created by the batch script. This cleanup script removes certificates from both LocalMachine and CurrentUser stores, regardless of which scenarios were enabled during creation.

# ============================================
# Certificate Revocation Testing - Cleanup Script
# ============================================
# Removes ALL Nodinite revocation test certificates
# Run as Administrator
# ============================================

Write-Host "`n================================" -ForegroundColor Cyan
Write-Host "Certificate Cleanup - Revocation Tests" -ForegroundColor Cyan
Write-Host "================================`n" -ForegroundColor Cyan

$removed = 0
$failed = 0

# Clean up LocalMachine\My store
Write-Host "Cleaning LocalMachine\My store..." -ForegroundColor Yellow
$localCerts = Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {
    $_.Subject -like "*Nodinite-Test*" -and $_.Subject -like "*Revocation Tests*"
}

foreach ($cert in $localCerts) {
    try {
        Write-Host "  Removing: $($cert.Subject) [$($cert.Thumbprint)]" -ForegroundColor Gray
        Remove-Item -Path "Cert:\LocalMachine\My\$($cert.Thumbprint)" -Force
        $removed++
    }
    catch {
        Write-Host "  ✗ Failed to remove: $($cert.Thumbprint) - $($_.Exception.Message)" -ForegroundColor Red
        $failed++
    }
}

# Clean up CurrentUser\My store
Write-Host "`nCleaning CurrentUser\My store..." -ForegroundColor Yellow
$userCerts = Get-ChildItem -Path "Cert:\CurrentUser\My" | Where-Object {
    $_.Subject -like "*Nodinite-Test*" -and $_.Subject -like "*Revocation Tests*"
}

foreach ($cert in $userCerts) {
    try {
        Write-Host "  Removing: $($cert.Subject) [$($cert.Thumbprint)]" -ForegroundColor Gray
        Remove-Item -Path "Cert:\CurrentUser\My\$($cert.Thumbprint)" -Force
        $removed++
    }
    catch {
        Write-Host "  ✗ Failed to remove: $($cert.Thumbprint) - $($_.Exception.Message)" -ForegroundColor Red
        $failed++
    }
}

# Summary
Write-Host "`n================================" -ForegroundColor Cyan
Write-Host "Cleanup Summary" -ForegroundColor Cyan
Write-Host "================================`n" -ForegroundColor Cyan

Write-Host "Certificates removed: $removed" -ForegroundColor Green
if ($failed -gt 0) {
    Write-Host "Failed to remove: $failed" -ForegroundColor Red
}

if ($removed -eq 0 -and $failed -eq 0) {
    Write-Host "No revocation test certificates found`n" -ForegroundColor Yellow
} else {
    Write-Host "`nCleanup complete!`n" -ForegroundColor Green
}

Usage Instructions

Running the Batch Script

  1. Open PowerShell 7 as Administrator

    # Verify PowerShell version
$PSVersionTable.PSVersion  # Should be 7.0 or higher

  2. Configure Scenarios (optional)

    Edit the $scenarios hashtable in the batch script to enable/disable specific test scenarios:

    $scenarios = @{
    ValidRevocation = $true      # Enable/disable Scenario 1
    UnknownStatus = $true         # Enable/disable Scenario 2
    OfflineService = $true        # Enable/disable Scenario 3
    SimulatedRevoked = $true      # Enable/disable Scenario 4
    SkipCheck = $true             # Enable/disable Scenario 5
    MissingExtensions = $true     # Enable/disable Scenario 6
}

  3. Execute the Script

    Copy and paste the entire batch script into PowerShell 7 console running as Administrator.

  4. Monitor in Nodinite

    • Wait for Windows Server Agent to discover certificates (polling interval: 5-15 minutes)
    • Or force synchronization: Click Sync All button in Nodinite Monitor Views
    • Navigate to certificate resources to view revocation status

  5. Cleanup After Testing

    Run the cleanup script to remove all test certificates from both stores.

Validation Checklist

Verify the following after running the batch script:

  • ☐ Scenario 1 (Valid Revocation) shows OK state
  • ☐ Scenario 2 (Unknown Status) generates WARNING (if CRL extension present)
  • ☐ Scenario 3 (Offline Service) generates WARNING
  • ☐ Scenario 4 (Simulated Revoked) shows OK (self-signed limitation)
  • ☐ Scenario 5 (Skip Check) shows OK after setting SkipRevocationCheck=true
  • ☐ Scenario 6 (Missing Extensions) generates WARNING
  • ☐ Certificate details show revocation status information
  • ☐ Chain validation includes revocation check results

Troubleshooting

Q: Certificates created but not detected in Nodinite?

A: Force synchronization or wait for agent discovery cycle:

# In :Nodinite: click "Sync All" button
# Or wait for agent polling interval (typically 5-15 minutes)

Q: All certificates show OK state (no warnings/errors)?

A: Self-signed certificates have limitations:

  • Self-signed certs don't have CRL/OCSP extensions by default
  • Cannot truly revoke self-signed certificates (requires CA infrastructure)
  • For comprehensive testing, use CA-issued certificates in test environment

Q: How to test true revoked certificate state?

A: Requires CA-issued certificate:

  1. Obtain certificate from internal or test CA
  2. Revoke certificate using CA management tools
  3. Wait for CRL update or OCSP cache refresh
  4. Certificate will show "Revoked" state in Nodinite

Q: SkipRevocationCheck override not working?

A: Verify configuration:

  1. Open certificate resource in Nodinite
  2. Navigate to Configuration tab
  3. Set SkipRevocationCheck = true
  4. Save changes
  5. Force agent synchronization

Revocation Monitoring
Chain Validation
Certificate Configuration
Certificate Monitoring
FAQ: Certificate Purpose and EKU Testing Scenarios
FAQ: Chain Validation Testing Scenarios