- 0 minutes to read

FAQ - Certificate Purpose and EKU Testing Scenarios

Validate Certificate Purpose and EKU monitoring with automated PowerShell test scripts covering all detection scenarios - from properly scoped single-purpose certificates (OK) to security risks like "Any Purpose" certificates (ERROR) and multi-purpose configurations (WARNING).

What's on This Page:

  • 6 Test Scenarios - Automated PowerShell scripts 7 for Server Auth, Client Auth, Code Signing, Multi-Purpose, Any Purpose, and Missing Key Usage
  • Batch Testing Script - Create all test certificates with configurable scenario flags and error handling
  • Cleanup Script - Remove test certificates after validation testing
  • Validation Checklist - Verify expected monitoring states match actual results
  • Troubleshooting - Resolve testing-specific issues (agent detection, configuration, PowerShell errors)

Why Test Certificate Purpose?

Certificate purpose validation prevents security risks from overly permissive certificates. Testing ensures monitoring correctly identifies:

  • Any Purpose certificates (ERROR) - Can be used for ANY operation if compromised
  • ⚠️ Multi-purpose certificates (WARNING) - Broader attack surface than needed
  • ⚠️ Missing Key Usage (WARNING) - Unclear purpose, potential compatibility issues
  • Single-purpose certificates (OK) - Properly scoped, follows least privilege

Related Documentation: See Certificate Purpose and EKU for complete feature documentation, security context, detection examples, and best practices.

Note

These scripts require PowerShell 7+ with Administrator privileges for certificate store access.

Warning

Never deploy test certificates to production environments. Always clean up after validation testing.

Certificate Purpose Validation Example
Certificate purpose validation showing Enhanced Key Usage extensions and security assessment results.

Testing Scenarios Overview

# Scenario Purpose Expected State Key Focus
1 Server Authentication SSL/TLS server certificates OK Server Auth EKU (1.3.6.1.5.5.7.3.1)
2 Client Authentication Client auth & mTLS OK Client Auth EKU (1.3.6.1.5.5.7.3.2)
3 Code Signing Software & script signing OK Code Signing EKU (1.3.6.1.5.5.7.3.3)
4 Multi-Purpose Multiple EKUs (broader scope) Warning Server + Client Auth combined
5 Any Purpose Overly permissive certificate Critical Any Purpose EKU (2.5.29.37.0)
6 Missing Key Usage Undefined usage flags Warning No Key Usage extension

Test Scenario Workflow

graph TD Start[<i class='fas fa-play'></i> Start Testing] --> Config[<i class='fas fa-cogs'></i> Configure Scenarios] Config --> S1{<i class='fas fa-server'></i> Scenario 1<br/>Server Auth} Config --> S2{<i class='fas fa-user-shield'></i> Scenario 2<br/>Client Auth} Config --> S3{<i class='fas fa-file-signature'></i> Scenario 3<br/>Code Signing} Config --> S4{<i class='fas fa-tasks'></i> Scenario 4<br/>Multi-Purpose} Config --> S5{<i class='fas fa-skull-crossbones'></i> Scenario 5<br/>Any Purpose} Config --> S6{<i class='fas fa-question-circle'></i> Scenario 6<br/>Missing Usage} S1 --> V1[<i class='far fa-circle-check' style='color:green'></i> OK] S2 --> V2[<i class='far fa-circle-check' style='color:green'></i> OK] S3 --> V3[<i class='far fa-circle-check' style='color:green'></i> OK] S4 --> V4[<i class='fal fa-exclamation-triangle' style='color:orange'></i> Warning] S5 --> V5[<i class='fal fa-times-circle' style='color:red'></i> Critical] S6 --> V6[<i class='fal fa-exclamation-triangle' style='color:orange'></i> Warning] V1 --> Monitor[<i class='fas fa-eye'></i> Monitor Results] V2 --> Monitor V3 --> Monitor V4 --> Monitor V5 --> Monitor V6 --> Monitor Monitor --> Validate[<i class='fas fa-check-double'></i> Validate Alerts] Validate --> Cleanup[<i class='fas fa-broom'></i> Cleanup Test Certs] Cleanup --> End[<i class='fas fa-flag-checkered'></i> Testing Complete] style S1 fill:#e3f2fd style S2 fill:#e3f2fd style S3 fill:#e3f2fd style S4 fill:#fff3e0 style S5 fill:#ffebee style S6 fill:#fff3e0 style V1 fill:#c8e6c9 style V2 fill:#c8e6c9 style V3 fill:#c8e6c9 style V4 fill:#ffe0b2 style V5 fill:#ffcdd2 style V6 fill:#ffe0b2

Test Scenarios

Scenario 1: Server Authentication

Purpose: Validate SSL/TLS server certificate monitoring with proper Server Authentication EKU.

Configuration:

Setting Value Rationale
EKU Server Authentication (1.3.6.1.5.5.7.3.1) Single-purpose EKU for HTTPS/TLS servers - follows least privilege principle
Key Usage DigitalSignature, KeyEncipherment Required for SSL/TLS handshake and session key encryption
Store Local Machine Server certificates must be accessible to IIS/services running under system accounts
Expected State ✅ OK Properly scoped certificate should pass validation without warnings

Tip

Using certificates with IBM MQ? IBM MQ has version-specific certificate storage: legacy agents (.NET Framework 4.8) use IBM MQ Key Database files (.kdb), while modern agents (.NET 9/10) support Windows Certificate Store. See IBM MQ SSL Certificate Configuration for conversion guidance and keystore setup.

Validation Points:

  • Client Auth EKU present and validated
  • Server Auth EKU present and validated
  • Appropriate for IIS bindings, API endpoints, HTTPS services
  • No security warnings for properly scoped certificate

Scenario 2: Client Authentication

Purpose: Test client authentication certificate validation for mTLS and client auth scenarios.

Configuration:

Setting Value Rationale
EKU Client Authentication (1.3.6.1.5.5.7.3.2) Single-purpose EKU for client-side authentication (mTLS, VPN, smart cards)
Key Usage DigitalSignature Client certificates only need to sign authentication challenges
Store Current User Client certificates are user-specific, stored in user profile for personal authentication
Expected State ✅ OK Properly scoped client certificate should pass validation

Validation Points:

  • Client Auth EKU properly configured
  • Suitable for mutual TLS, VPN client auth, smart card authentication
  • User-specific certificate store location

Scenario 3: Code Signing

Purpose: Verify code signing certificate purpose validation.

Configuration:

Setting Value Rationale
EKU Code Signing (1.3.6.1.5.5.7.3.3) Single-purpose EKU for signing executables, scripts, and software packages
Key Usage DigitalSignature Code signing only requires ability to create digital signatures
Store Local Machine Shared code signing certificates accessible to build servers and deployment systems
Expected State ✅ OK Purpose-specific code signing certificate should validate successfully

Validation Points:

  • Code Signing EKU validated
  • Appropriate for PowerShell scripts, executables, MSI packages
  • Private key protection critical for code integrity

Scenario 4: Multi-Purpose

Purpose: Test detection of certificates with multiple EKU extensions (security concern).

Configuration:

Setting Value Rationale
EKU Server Authentication + Client Authentication Multiple EKUs create broader attack surface - violates least privilege
Key Usage DigitalSignature, KeyEncipherment Combined usage for both server and client operations
Store Local Machine System-wide store to demonstrate improper multi-purpose certificate deployment
Expected State ⚠️ Warning Should trigger warning for overly permissive certificate scope

Validation Points:

  • Multiple EKUs detected (broader attack surface)
  • Warning generated for multi-purpose usage
  • Violates principle of least privilege

Scenario 5: Any Purpose (Security Risk)

Purpose: Detect overly permissive "Any Purpose" certificates (critical security risk).

Configuration:

Setting Value Rationale
EKU Any Purpose (2.5.29.37.0) - simulated Unrestricted usage - can be used for ANY operation if compromised (maximum risk)
Key Usage DigitalSignature, KeyEncipherment, CertSign Broad key usage including CA signing capabilities - extremely dangerous
Store Local Machine System-wide to demonstrate critical risk of "Any Purpose" in production
Expected State ❌ Critical Must trigger critical error for immediate remediation

Validation Points:

  • Any Purpose EKU flagged as critical security risk
  • Unrestricted usage enables maximum attack surface
  • Immediate remediation required (replace with purpose-specific certificate)

Scenario 6: Missing Key Usage

Purpose: Identify certificates without explicit Key Usage extensions.

Configuration:

Setting Value Rationale
EKU Not defined Missing EKU makes certificate purpose unclear and unpredictable
Key Usage Not defined Missing Key Usage extension can cause application compatibility issues
Store Local Machine System-wide store to test detection of incomplete certificate definitions
Expected State ⚠️ Warning Should trigger warning for undefined usage - requires manual review

Validation Points:

  • Missing Key Usage extension detected
  • Warning for undefined certificate purpose
  • Requires manual review to determine intended usage

Batch Testing Script

Create all test scenarios with configurable flags:

# Nodinite Certificate Purpose & EKU Validation Testing Suite
# Creates comprehensive test scenarios for Enhanced Key Usage validation

Write-Host "=== Certificate Purpose & EKU Validation Testing Suite ===" -ForegroundColor Magenta

# ============================================================================
# CONFIGURATION - Enable/Disable Test Scenarios
# ============================================================================
$scenarios = @{
    ServerAuth         = $true   # Scenario 1: Server Authentication
    ClientAuth         = $true   # Scenario 2: Client Authentication
    CodeSigning        = $true   # Scenario 3: Code Signing
    MultiPurpose       = $true   # Scenario 4: Multi-Purpose (Warning)
    AnyPurpose         = $true   # Scenario 5: Any Purpose (Critical Risk)
    MissingKeyUsage    = $true   # Scenario 6: Missing Key Usage
}

$certificates = @()
$errorCount = 0

# ============================================================================
# Scenario 1: Server Authentication Certificate
# ============================================================================
if ($scenarios.ServerAuth) {
    Write-Host "`n[1/6] Creating Server Authentication certificate..." -ForegroundColor Cyan
    try {
        $cert = New-SelfSignedCertificate `
            -Subject "CN=Nodinite-Test-ServerAuth, O=Nodinite Testing" `
            -CertStoreLocation "Cert:\LocalMachine\My" `
            -KeyLength 2048 `
            -HashAlgorithm SHA256 `
            -KeyUsage DigitalSignature, KeyEncipherment `
            -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") `
            -NotAfter (Get-Date).AddDays(90)
        
        $certificates += @{
            Name = "Server Authentication"
            Thumbprint = $cert.Thumbprint
            Store = "LocalMachine\My"
            Expected = "OK"
        }
        Write-Host "   <i class='far fa-circle-check' style='color:green'></i> Created: $($cert.Thumbprint)" -ForegroundColor Green
    } catch {
        Write-Host "   <i class='fal fa-times-circle' style='color:red'></i> Failed: $($_.Exception.Message)" -ForegroundColor Red
        $errorCount++
    }
}

# ============================================================================
# Scenario 2: Client Authentication Certificate
# ============================================================================
if ($scenarios.ClientAuth) {
    Write-Host "`n[2/6] Creating Client Authentication certificate..." -ForegroundColor Cyan
    try {
        $cert = New-SelfSignedCertificate `
            -Subject "CN=Nodinite-Test-ClientAuth, O=Nodinite Testing" `
            -CertStoreLocation "Cert:\CurrentUser\My" `
            -KeyLength 2048 `
            -HashAlgorithm SHA256 `
            -KeyUsage DigitalSignature `
            -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") `
            -NotAfter (Get-Date).AddDays(90)
        
        $certificates += @{
            Name = "Client Authentication"
            Thumbprint = $cert.Thumbprint
            Store = "CurrentUser\My"
            Expected = "OK"
        }
        Write-Host "   <i class='far fa-circle-check' style='color:green'></i> Created: $($cert.Thumbprint)" -ForegroundColor Green
    } catch {
        Write-Host "   <i class='fal fa-times-circle' style='color:red'></i> Failed: $($_.Exception.Message)" -ForegroundColor Red
        $errorCount++
    }
}

# ============================================================================
# Scenario 3: Code Signing Certificate
# ============================================================================
if ($scenarios.CodeSigning) {
    Write-Host "`n[3/6] Creating Code Signing certificate..." -ForegroundColor Cyan
    try {
        $cert = New-SelfSignedCertificate `
            -Subject "CN=Nodinite-Test-CodeSigning, O=Nodinite Testing" `
            -CertStoreLocation "Cert:\LocalMachine\My" `
            -KeyLength 2048 `
            -HashAlgorithm SHA256 `
            -KeyUsage DigitalSignature `
            -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3") `
            -NotAfter (Get-Date).AddDays(90)
        
        $certificates += @{
            Name = "Code Signing"
            Thumbprint = $cert.Thumbprint
            Store = "LocalMachine\My"
            Expected = "OK"
        }
        Write-Host "   <i class='far fa-circle-check' style='color:green'></i> Created: $($cert.Thumbprint)" -ForegroundColor Green
    } catch {
        Write-Host "   <i class='fal fa-times-circle' style='color:red'></i> Failed: $($_.Exception.Message)" -ForegroundColor Red
        $errorCount++
    }
}

# ============================================================================
# Scenario 4: Multi-Purpose Certificate (Warning)
# ============================================================================
if ($scenarios.MultiPurpose) {
    Write-Host "`n[4/6] Creating Multi-Purpose certificate..." -ForegroundColor Yellow
    try {
        $cert = New-SelfSignedCertificate `
            -Subject "CN=Nodinite-Test-MultiPurpose, O=Nodinite Testing, OU=Warning" `
            -CertStoreLocation "Cert:\LocalMachine\My" `
            -KeyLength 2048 `
            -HashAlgorithm SHA256 `
            -KeyUsage DigitalSignature, KeyEncipherment `
            -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") `
            -NotAfter (Get-Date).AddDays(90)
        
        $certificates += @{
            Name = "Multi-Purpose"
            Thumbprint = $cert.Thumbprint
            Store = "LocalMachine\My"
            Expected = "Warning"
        }
        Write-Host "   <i class='fal fa-exclamation-triangle' style='color:orange'></i> Created: $($cert.Thumbprint)" -ForegroundColor Yellow
    } catch {
        Write-Host "   <i class='fal fa-times-circle' style='color:red'></i> Failed: $($_.Exception.Message)" -ForegroundColor Red
        $errorCount++
    }
}

# ============================================================================
# Scenario 5: Any Purpose Certificate (Critical Risk)
# ============================================================================
if ($scenarios.AnyPurpose) {
    Write-Host "`n[5/6] Creating Any Purpose certificate (SECURITY RISK)..." -ForegroundColor Red
    try {
        # Simulated Any Purpose certificate with broad key usage
        $cert = New-SelfSignedCertificate `
            -Subject "CN=Nodinite-Test-AnyPurpose, O=Nodinite Testing, OU=CRITICAL RISK" `
            -CertStoreLocation "Cert:\LocalMachine\My" `
            -KeyLength 2048 `
            -HashAlgorithm SHA256 `
            -KeyUsage DigitalSignature, KeyEncipherment, CertSign `
            -NotAfter (Get-Date).AddDays(90)
        
        $certificates += @{
            Name = "Any Purpose (Simulated)"
            Thumbprint = $cert.Thumbprint
            Store = "LocalMachine\My"
            Expected = "Critical"
        }
        Write-Host "   <i class='fal fa-times-circle' style='color:red'></i> Created: $($cert.Thumbprint)" -ForegroundColor Red
    } catch {
        Write-Host "   <i class='fal fa-times-circle' style='color:red'></i> Failed: $($_.Exception.Message)" -ForegroundColor Red
        $errorCount++
    }
}

# ============================================================================
# Scenario 6: Missing Key Usage Certificate
# ============================================================================
if ($scenarios.MissingKeyUsage) {
    Write-Host "`n[6/6] Creating certificate with missing Key Usage..." -ForegroundColor Yellow
    try {
        $cert = New-SelfSignedCertificate `
            -Subject "CN=Nodinite-Test-MissingKeyUsage, O=Nodinite Testing, OU=Review Required" `
            -CertStoreLocation "Cert:\LocalMachine\My" `
            -KeyLength 2048 `
            -HashAlgorithm SHA256 `
            -NotAfter (Get-Date).AddDays(90)
        
        $certificates += @{
            Name = "Missing Key Usage"
            Thumbprint = $cert.Thumbprint
            Store = "LocalMachine\My"
            Expected = "Warning"
        }
        Write-Host "   <i class='fal fa-exclamation-triangle' style='color:orange'></i> Created: $($cert.Thumbprint)" -ForegroundColor Yellow
    } catch {
        Write-Host "   <i class='fal fa-times-circle' style='color:red'></i> Failed: $($_.Exception.Message)" -ForegroundColor Red
        $errorCount++
    }
}

# ============================================================================
# Summary Report
# ============================================================================
Write-Host "`n=== Test Certificate Summary ===" -ForegroundColor Magenta
Write-Host "Created: $($certificates.Count) certificates" -ForegroundColor Cyan
Write-Host "Failed:  $errorCount scenarios" -ForegroundColor $(if ($errorCount -gt 0) { "Red" } else { "Green" })

if ($certificates.Count -gt 0) {
    Write-Host "`n<i class='fas fa-table' aria-hidden='true'></i> Certificate Details:" -ForegroundColor Cyan
    foreach ($cert in $certificates) {
        $color = switch ($cert.Expected) {
            "OK" { "Green" }
            "Warning" { "Yellow" }
            "Critical" { "Red" }
            default { "White" }
        }
        Write-Host "  $($cert.Name.PadRight(30)) | $($cert.Thumbprint) | Expected: $($cert.Expected)" -ForegroundColor $color
    }
}

Write-Host "`n<i class='fas fa-lightbulb' aria-hidden='true'></i> Next Steps:" -ForegroundColor Cyan
Write-Host "  1. Configure Certificate Purpose & EKU Validation in monitoring agent" -ForegroundColor White
Write-Host "  2. Wait for agent discovery cycle (or force sync)" -ForegroundColor White
Write-Host "  3. Verify each certificate shows expected validation state" -ForegroundColor White
Write-Host "  4. Validate alert notifications for Warning/Critical certificates" -ForegroundColor White
Write-Host "  5. Run cleanup script when testing complete" -ForegroundColor White

Cleanup Script

Remove all test certificates after validation:

# Cleanup all Nodinite Certificate Purpose & EKU test certificates
Write-Host "=== Cleaning up Certificate Purpose test certificates ===" -ForegroundColor Magenta

$removed = 0
$failed = 0

# Remove from Local Machine store
Write-Host "`nCleaning Local Machine store..." -ForegroundColor Cyan
Get-ChildItem Cert:\LocalMachine\My | Where-Object {
    $_.Subject -like "*Nodinite-Test*" -or
    $_.Subject -like "*Nodinite Testing*"
} | ForEach-Object {
    try {
        Write-Host "  Removing: $($_.Subject) [$($_.Thumbprint)]" -ForegroundColor Gray
        Remove-Item -Path "Cert:\LocalMachine\My\$($_.Thumbprint)" -Force
        $removed++
    } catch {
        Write-Host "  Failed: $($_.Exception.Message)" -ForegroundColor Red
        $failed++
    }
}

# Remove from Current User store
Write-Host "`nCleaning Current User store..." -ForegroundColor Cyan
Get-ChildItem Cert:\CurrentUser\My | Where-Object {
    $_.Subject -like "*Nodinite-Test*" -or
    $_.Subject -like "*Nodinite Testing*"
} | ForEach-Object {
    try {
        Write-Host "  Removing: $($_.Subject) [$($_.Thumbprint)]" -ForegroundColor Gray
        Remove-Item -Path "Cert:\CurrentUser\My\$($_.Thumbprint)" -Force
        $removed++
    } catch {
        Write-Host "  Failed: $($_.Exception.Message)" -ForegroundColor Red
        $failed++
    }
}

Write-Host "`n<i class='fas fa-check-circle' aria-hidden='true'></i> Cleanup Summary:" -ForegroundColor Green
Write-Host "  Removed: $removed certificates" -ForegroundColor Cyan
Write-Host "  Failed:  $failed certificates" -ForegroundColor $(if ($failed -gt 0) { "Red" } else { "Green" })

Usage Instructions

Running the Batch Script

  1. Open PowerShell 7 as Administrator:
# Verify PowerShell version
$PSVersionTable.PSVersion  # Should show 7.x or higher
  1. Configure Scenarios (optional):
  • Edit the $scenarios hashtable to enable/disable specific tests
  • Set to $false to skip scenarios you don't need
  1. Execute the Script:
  • Copy the batch script and run in PowerShell 7
  • Review output for creation status
  1. Monitor Results:
  • Wait for agent discovery (or force sync in Nodinite)
  • Verify expected states match actual monitoring results
  • Check alert notifications for Warning/Critical states
  1. Cleanup:
  • Run cleanup script when testing complete
  • Verify all test certificates removed

Validation Checklist

  • ✅ Server Authentication shows OK state
  • ✅ Client Authentication shows OK state
  • ✅ Code Signing shows OK state
  • ⚠️ Multi-Purpose generates Warning alert
  • ❌ Any Purpose generates Critical alert
  • ⚠️Missing Key Usage generates Warning alert

Frequently Asked Questions

Q: Why do I get script errors when running the PowerShell test scripts?
A: These scripts require PowerShell 7 or later with Administrator privileges. Verify your PowerShell version by running $PSVersionTable.PSVersion - it should show 7.x or higher. PowerShell 5.1 (Windows PowerShell) does not support the -TextExtension parameter used for configuring Enhanced Key Usage extensions. Download PowerShell 7+ from Microsoft's official site.

Q: How do I validate Certificate Purpose and EKU usage with Nodinite?
A: Run the Batch Testing Script (see section above) on your Windows Server to create test certificates with different EKU configurations (Server Auth, Client Auth, Code Signing, Multi-Purpose, Any Purpose, Missing Key Usage). The Nodinite monitoring agent will automatically discover these certificates during its next synchronization cycle and validate their purpose according to configured thresholds. Review the monitoring results in the Nodinite Web Client to verify each certificate shows the expected state (OK, Warning, or Critical).

Q: How do I enable Certificate Purpose and EKU validation in Nodinite?
A: Enable the "Validate Certificate Purpose" feature in the Windows Server Monitoring Agent configuration. See the comprehensive Certificate Configuration guide for step-by-step instructions on enabling validation, configuring detection thresholds, setting up alert notifications, and defining monitoring scopes for certificate stores.