- 4 minutes to read

Secret Management with Automatic Certificate Handling

New 7.x

Take control of secret management and certificate automation with Nodinite. On this page, you will:

  • ✅ Eliminate manual certificate provisioning and renewal
  • ✅ Secure secrets using industry-standard cryptographic protocols
  • ✅ Automate certificate lifecycle and renewal
  • ✅ Store secrets securely using the operating system’s certificate store
  • ✅ Configure expiration and renewal thresholds for peace of mind
flowchart TD A[Application Startup] --> B{Certificate Exists?} B -- Yes --> C[Load Certificate from Store] B -- No --> D[Generate New Certificate] D --> E[Store Certificate in OS Certificate Store] C & E --> F[Encrypt/Decrypt Secrets] F --> G[Monitor Expiry & Renewal] G -- Expiring --> H[Auto-Renew Certificate] H --> E

This diagram shows how Nodinite automatically manages certificates and uses them for secret encryption and decryption, including renewal and monitoring.

Encryption Overview

Nodinite uses a hybrid encryption approach to secure sensitive configuration data, such as passwords and connection strings. This method combines the strengths of both symmetric and asymmetric encryption to provide robust security.

sequenceDiagram participant User as User/Service participant App as Nodinite Application participant Cert as Certificate Store participant Secret as Secret Data User->>App: Request to store secret App->>Cert: Retrieve encryption certificate App->>Secret: Encrypt secret with certificate App->>Cert: Store encrypted secret User->>App: Request to access secret App->>Cert: Retrieve decryption certificate App->>Secret: Decrypt secret with certificate App->>User: Return decrypted secret

This diagram illustrates the process of encrypting and decrypting secrets using a certificate stored in the operating system's certificate store.

🔐 Configuration Settings for Secret Encryption

Configure encryption and certificate-based key management in your application using the following settings:

Field Label Default Value / Example Type Description Remarks / Gotchas / Links
Encryption Algorithm AES256-RSA-OAEP Dropdown Select the encryption algorithm used to protect secrets. This defines how the data is encrypted (symmetric) and how the encryption key is secured (asymmetric). ✅ Follows hybrid encryption best practices.
🔗 Understanding RSA-OAEP
🔐 Make sure all components consuming the secrets support this algorithm.
Certificate Store Location Windows Certificate Store Dropdown Choose where the app should store or look for certificates. On Windows, the certificate is saved under the Personal store of the service account running the app. Store location may vary on Linux/Containers.
🔗 Microsoft Docs: Certificate Stores
📌 Only Windows is currently supported.
Automatically Manage Certificate Enabled (Checked) Checkbox When enabled, the app will generate and manage the certificate lifecycle automatically. No manual certificate creation or import is needed. ✅ Recommended for most users.
⚠️ Auto-renewal requires write access to the certificate store.
🔐 You are responsible for trusting the auto-generated certificate if used across services.
Subject Name (CN) CN=Nodinite.PROD.XYZ.AutoGeneratedCert Text The subject name for the generated certificate. It should be unique to avoid conflicts. 📌 Avoid using generic names like "Nodinite".
💡 Including the environment name helps differentiate certificates in multi-environment setups.
NOTE: The 'Automatically Manage Certificate' option must be checked
NOTE: Subject name must start with CN=
Key Size 2048 (minimum recommended) Dropdown Select the size of the key used in certificate generation. Larger keys offer more security but may affect performance. 🔐 2048-bit is considered secure today.
🔗 NIST Key Management Guidelines
🚫 Avoid using 1024-bit or lower.
🚫 Avoid using 7680-bit or higher.
Validity (Days) 365 Numeric (positive integers only) Number of days the generated certificate will be valid before expiration. 🕒 Long validity can reduce renewal overhead but increases risk if not rotated manually.
📌 Renewal behavior depends on “Expiration Threshold Days.”
Expiration Warning Threshold (Days) 30 Numeric (positive integers only) When the certificate is this many days from expiration, the app will consider it "about to expire" and may trigger automatic renewal (if enabled). 🛎️ Useful to prevent downtime due to expired certs.
🔐 Make sure alerting/renewal logic is functioning correctly.
💡Use the Nodinite Windows Server Monitoring Agent to Monitor the expiry of the Windows Certificate

Critical Change: Service Account Passwords and Secret Encryption

Prior to Nodinite v7, changing the password for a service account would break the encryption and decryption of configuration files and secrets. This limitation required administrators to re-enter all secrets and passwords whenever a service account password was changed, increasing operational risk and complexity.

Starting with Nodinite v7, you can change service account passwords without breaking encryption or decryption of configuration files and secrets. This improvement streamlines maintenance, supports security best practices, and reduces downtime.

For details, see How to set Logon as a Service right.

Tip

If you still use Nodinite v6, update using the Updating from v6 to v7 guide to transition your secret management and certificate handling settings properly.

sequenceDiagram participant Admin as Administrator participant Service as Service Account participant App as Nodinite Application Admin->>Service: Change password Service->>App: Restart with new password App->>Service: Access certificate store App->>App: Decrypt secrets using existing certificate Note right of App: "No re-entry of secrets required (v7)"

*This diagram illustrates how changing the service account password does not break secret decryption in Nodinite v7 and later.

Next Step

Windows Certificates - You can use the Nodinite Windows Server Monitoring Agent to monitor the certificates used for secret encryption (and any other certificates within Windows).

To go deeper into the broader topic of secure secret handling, encryption, and monitoring: