Certificate Monitoring

Monitor X509 Certificates across Windows Server certificate stores with comprehensive security evaluation including private key health, cryptographic strength, chain validation, purpose validation, IIS binding health, and duplicate detection.

State Evaluation for X509 Certificates

Certificate Resources

Certificate Resources are displayed within Nodinite as individual Resources. For example, if you have 1,337 certificates across all monitored stores, you will see 1,337 'Certificate' Resources in Nodinite.

Resource Naming Convention

The name of a Certificate Resource follows this format: [Friendly Name] - Issued By: [Issuer Name] / Issued To: [Subject Name]

Certificate Categories

X509 Certificate Resources are organized into the following categories:

Category	Description
Store	A summary resource for certificate store locations. Shows overview of expired certificates and allows you to configure global certificate monitoring thresholds (warning/error days before expiration). When you open this resource, you'll see a paginated list of all expired certificates from the selected store location (LocalMachine or CurrentUser Personal). This is useful for getting a quick overview of certificate expiration issues without having to check individual certificates.
Current User	Individual certificates installed in the CurrentUser Personal (My) store for the service account running the monitoring agent, or for impersonated user accounts. Only the Personal (My) store is monitored for user accounts because that's where user-specific certificates with private keys are stored. Each certificate is monitored individually against configured thresholds.
Local Machine	Individual certificates installed in all LocalMachine stores (My, Root, CA, TrustedPeople, etc.). These are system-wide certificates accessible to all users and services on the Windows Server. Each certificate is monitored individually and evaluated against either the global thresholds or specific thresholds you configure for that certificate.

Key Differences

• Store Category: A rollup/summary view showing expired certificates from a store location. Used for configuration and overview.
• Local Machine/Current User Categories: Individual certificate resources with their own status (OK/WARNING/ERROR) based on days until expiration and chain validation.

Threshold Configuration

• Global Thresholds: Set via the "Store" category resource - applies to all certificates that don't have specific thresholds configured
• Specific Thresholds: Set individually on each certificate resource in "Local Machine" or "Current User" categories - overrides global thresholds for that specific certificate

List of Certificate related Categories, as a filter in a Monitor View.

• The Application name is the Display Name from the configuration of the monitored Windows Server:
  
  Here's an example of Application naming pattern.

Each item (presented in Nodinite as a Resource), is evaluated with a state. (OK, Warning, Error, Unavailable).

The evaluated state may be reconfigured using the Expected State feature that exists on every Resource within Nodinite.

Note

Depending on the user-defined synchronization interval set for the Windows Server Monitoring Agent, there might be a delay before Nodinite Web Client/Monitor Views reflects upon the change. Click the Sync All button (or on the dropdown for individual agent selection) to force Nodinite to request a resynchronization request.

Option to force Nodinite to request a resynchronization with the selected monitoring agent.

---

Monitoring X509 Certificates

For the different Certificate categories, the monitored state evaluates as described in the tables below:

• Store
• Current User
• Local Machine

Store

For the Category Store, there is a single virtual Resource per Windows Server entry named Certificate Store. This Resource can have one of the following states:

	State	Status	Description	Actions
	Unavailable	Service not available	If the server can't be reached and evaluated either due to Network or security-related problems Bad configuration (invalid/non existing Source/Provider/...)	Review prerequisites
	Error	Error state raised	Not Implemented	-
	Warning	Warning state raised	Not implemented	-
	OK	Online	The Certificate store on the selected computer can be browsed and evaluated	Edit Thresholds Expired Certificates

Current User

For the Category Current User, there can be many Resources named %User-Friendly Name% - Issued By: %Name% / Issued To: %Name%.

The listed Resources can have one of the following states:

	State	Status	Description	Actions
	Unavailable	Service not available	If the server can't be reached and evaluated either due to Network or security-related problems Bad configuration (invalid/non existing Source/Provider/...)	Review prerequisites
	Error	Error state raised	The Certificate is about to expire or has already expired The certificate is invalid, revoked, or has other reported problems	Edit Details
	Warning	Warning state raised	The Certificate is about to expire or has already expired	Edit Details
	OK	Online	The certificate is valid and is not about to expire	Edit Details

Local Machine

For the Category Local Machine, there can be many Resources named %User-Friendly Name% - Issued By: %Name% / Issued To: %Name%. A Resource can have one of the following states:

	State	Status	Description	Actions
	Unavailable	Service not available	If the server can't be reached and evaluated either due to Network or security-related problems Bad configuration (invalid/non existing Source/Provider/...)	Review prerequisites
	Error	Error state raised	The certificate has expired or is about to expire The certificate is invalid, revoked, or has other reported problems	Edit Details
	Warning	Warning state raised	The certificate has expired or is about to expire	Edit Details
	OK	Online	The certificate is valid and is not about to expire	Edit Details

Monitoring Features

Certificate monitoring provides seven comprehensive security assessment features to detect configuration issues, security risks, and certificate management problems:

Feature	Description	Detects	Learn More
Private Key Health	Validates private key accessibility, exportability, and cryptographic strength	• Missing private keys • Exportable private keys (security risk) • Weak key lengths (RSA < 2048 bits, ECDSA < 256 bits)	Private Key Health
Weak Cryptography Detection	Identifies certificates using deprecated or insecure cryptographic algorithms	• MD5 signature algorithms • SHA-1 hash algorithms • RSA keys < 2048 bits	Weak Cryptography Detection
Chain Validation	Comprehensive certificate chain trust and policy validation with inline error display	• UntrustedRoot errors • PartialChain (missing intermediates) • Revocation failures • Expired chain certificates	Chain Validation
Revocation Monitoring	Validates certificate revocation status via CRL and OCSP protocols	• Revoked certificates • RevocationStatusUnknown • OfflineRevocation • Expired CRLs (Phase 10)	Revocation Monitoring
Certificate Purpose & EKU	Validates Enhanced Key Usage (EKU) and Key Usage extensions for security compliance	• "Any Purpose" certificates (overly permissive) • Missing Server/Client/Code Signing EKUs • Multi-purpose certificates	Certificate Purpose and EKU
IIS Binding & SAN Monitoring	Monitors IIS HTTPS bindings and Subject Alternative Names with wildcard detection	• Orphaned IIS bindings • Hostname mismatches • Multi-level wildcards (security risk) • Excessive SANs (100+ domains)	IIS Binding and SAN Monitoring
Duplicate Certificate Detection	Identifies multiple certificates with identical Subject/SAN to prevent selection ambiguity	• Same-store duplicates • Cross-store duplicates • Multiple private keys (ambiguous selection) • Renewal overlaps	Duplicate Certificate Detection

Integrated State Evaluation

Certificate state evaluation combines findings from all monitoring features:

Priority Order (most critical to least):

1. Private Key Health: Missing/exportable private keys, weak key lengths
2. Weak Cryptography Detection: MD5, SHA-1, weak RSA keys
3. Chain Validation: UntrustedRoot, PartialChain, revocation failures
4. Revocation Monitoring: Revoked certificates, unknown/offline revocation status
5. Certificate Purpose & EKU: "Any Purpose" violations, missing required EKUs
6. IIS Binding & SAN Monitoring: Orphaned bindings, hostname mismatches, multi-level wildcards
7. Duplicate Detection: Multiple private keys, excessive duplicates
8. Certificate Expiration: Days until expiration thresholds

Final State: ERROR > WARNING > OK (worst state from all features determines overall certificate state)

Comprehensive Assessment: The certificate details page integrates findings from all features, providing administrators with complete security posture including cryptographic strength, private key status, chain validation results, purpose validation, IIS binding health, duplicate detection, and expiration monitoring in a unified interface.

Next Steps

Explore the comprehensive certificate security monitoring features:

• Private Key Health - Validate private key accessibility, exportability, and strength
• Weak Cryptography Detection - Identify deprecated cryptographic algorithms
• Chain Validation - Comprehensive chain trust and policy validation
• Revocation Monitoring - Certificate revocation status via CRL and OCSP
• Certificate Purpose and EKU - Validate Enhanced Key Usage and certificate purpose
• IIS Binding and SAN Monitoring - Monitor IIS bindings and Subject Alternative Names
• Duplicate Certificate Detection - Identify duplicate certificates and remediation workflow

Related Topics

• Certificate Overview
• Certificate Configuration
• Certificate Remote Actions
• Certificate Managing
• Windows Server Monitoring Agent