Configuring Windows Server Certificate Monitoring
Unlock comprehensive X509 certificate security monitoring! This guide shows you how to configure the Nodinite Windows Server Monitoring Agent for real-time certificate tracking, expiration alerts, private key health validation, weak cryptography detection, chain validation, and IIS binding monitoring. Gain proactive alerts, self-service management, and seamless integration with Nodinite.
What you will achieve with this guide:
- ✅ Step-by-step configuration for certificate expiration and health monitoring
- ✅ Customizable thresholds, store selection, and validation options
- ✅ Self-service, role-based access for business and IT users
- ✅ Proactive alerts for security risks and compliance violations
Info
This guide provides step-by-step instructions for configuring the Nodinite Windows Server Monitoring Agent certificate monitoring.
Note
To enable monitoring and remote configuration, first install and create the initial Monitoring Agent Configuration for the Nodinite Windows Server Monitoring Agent. If you're a first-time user, start with the Remote Configuration.
Remote Configuration
As a Nodinite Administrator, click the 'Configuration' button to open a modal and configure the Windows Server Monitoring Agent:
Click the 'Configuration' button to open the configuration modal.
You can adjust configurations on each Resource using the Action button, provided your Monitor View has the Remote Actions feature enabled.
Nodinite groups Resources per Application using the value from the Description field. Learn more about Applications.
Add Certificate Monitoring Configuration
Enable certificate monitoring by checking the Enable Certificate monitoring checkbox, then configure options across the available tabs.
Certificate monitoring configuration tabs.
General Tab
The General tab contains global certificate monitoring settings including expiration thresholds and old certificate handling.
General tab for expiration thresholds and certificate-specific overrides.
Ignore Old Expired Certificates
Certificates that expired MORE THAN this many days ago are IGNORED (no alerts, informational view only). Certificates that expired WITHIN this window (or are expiring in the future) will trigger alerts.
- Default: 90 days
- Range: 0–365 days
- Recommended: 30-90 days to catch recent expirations while ignoring ancient certificates
Examples:
- Set to 0 to ignore ALL already-expired certificates (only alert on today/future expirations)
- Set to 30 to alert on certs expired within last 30 days, ignore certs expired 31+ days ago
Warning Time Span (days)
This indicates the allowed time span in days before a certificate expires. Once the specified value is breached, a Warning alert is triggered.
- Default: 45 days
- Range: 1–365 days
Error Time Span (days)
This indicates the allowed time span in days before a certificate expires. Once the specified value is breached, an Error alert is triggered.
- Default: 30 days
- Range: 1–365 days
Description
Specify a user-friendly short description about this configuration.
Specific Certificates
This list contains certificate-specific monitoring configurations that OVERRIDE the global thresholds above. Use the Edit action on a certificate Resource to add entries - this ensures accurate 'Issued By' and 'Issued To' matching.
Important
This list contains certificate-specific monitoring configurations that OVERRIDE the global thresholds above. Do NOT manually edit 'Issued By' or 'Issued To' values after creation as they are used to match certificates - incorrect values will prevent monitoring. Since this is a group configuration, all servers in the group are expected to have the same certificates with identical thresholds. If a server requires unique certificate monitoring settings, place it in a separate group.
Specific certificate configuration entry with custom thresholds.
| Field | Description | Notes |
|---|---|---|
| Issued By | Certificate issuer name | ⚠️ Do NOT modify after creation - used for matching |
| Issued To | Certificate subject name | ⚠️ Do NOT modify after creation - used for matching |
| Warning Time Span | Override global warning threshold | Range: 1–365 days |
| Error Time Span | Override global error threshold | Range: 1–365 days |
| Description | User-friendly description | ℹ️ Optional |
Store Name (Folders) Tab
Select which Windows certificate stores to monitor.
Tip
For detailed information about certificate stores and monitoring, see Certificate Monitoring and Certificate Overview.
Store Name (Folders) tab with available certificate store options.
| Store Name | Purpose | Default | Store Path |
|---|---|---|---|
| Monitor Local Machine Certificate Stores | Enable monitoring for primary system-wide certificate location | ✅ Enabled | - |
| Personal (My) | Server/service certificates with private keys (IIS SSL, service accounts, RDP) | ✅ Enabled | HKLM\...\MY |
| Trusted Root Certification Authorities (Root) | Root CA certificates Windows trusts by default or manually installed | ✅ Enabled | HKLM\...\Root |
| Intermediate Certification Authorities (CA) | Intermediate CA certificates for building chains and SSL/TLS validation | ✅ Enabled | HKLM\...\CA |
| Trusted Publishers | Software publisher certificates for SmartScreen and code signing | ❌ Disabled | HKLM\...\TrustedPublisher |
| Trusted People | Certificates for explicitly trusted individuals/entities (peer-to-peer) | ❌ Disabled | HKLM\...\TrustedPeople |
| Web Hosting (WebHosting) | IIS HTTPS binding certificates (local/remote). May not exist on all systems | ❌ Disabled | Custom: WebHosting |
| Third-Party Root CA (AuthRoot) | Root CA certificates auto-downloaded by Windows Certificate Trust List | ❌ Disabled | HKLM\...\AuthRoot |
| Untrusted Certificates (Disallowed) | Explicitly untrusted certificates (revoked/malicious). Usually empty | ❌ Disabled | HKLM\...\Disallowed |
| Other People (AddressBook) | S/MIME email encryption contact certificates. Rarely used in servers | ❌ Disabled | HKLM\...\AddressBook |
User Accounts Tab
Monitor certificates in service account and impersonated user personal stores.
Tip
For gMSA (Group Managed Service Accounts), see FAQ: Certificates for gMSA Accounts.
User Accounts tab for service account and impersonated user credentials.
Monitor Agent Service Account Personal Store
Enable monitoring of the agent's service account personal store (CurrentUser\My only - NOT Local Machine stores).
- Default: Disabled (unchecked)
- Note: Heading displays actual service account name (e.g.,
DEV\Administrator) but is not editable
Display Name for Agent Service Account
User-friendly name shown in Monitor Views instead of technical account name. Used to build resource name as 'server\displayname'.
- Example:
NodiniteServiceinstead ofDEV\Administrator - Purpose: Hides technical service account identity in Monitor Views for cleaner presentation
Impersonated users
Enable monitoring of personal stores for each impersonated user configured below.
- Default: Disabled (unchecked)
- ⚠️ Important: Impersonation works ONLY on local agent machine. Groups with impersonation can only monitor ONE server.
Impersonated user accounts
List of user accounts to impersonate for monitoring their personal stores. Each user's store scanned using their credentials on local agent machine.
| Field | Description | Notes |
|---|---|---|
| Display Name | User-friendly name for Domain User | Used for resource naming |
| Domain User | Windows user account | Format: DOMAIN\User |
| Password | Password for domain user | ℹ️ Encrypted when saved in configuration file |
Revocation Tab
Configure certificate revocation status checking with CRL/OCSP validation.
Tip
For detailed information about revocation monitoring, see Revocation Monitoring. For testing scenarios with PowerShell scripts, see FAQ: Revocation Testing.
Revocation tab for CRL/OCSP validation settings.
| Setting | Description | Default | Options/Range |
|---|---|---|---|
| Revocation Mode | Mode used to check X509 certificate revocation | No Check | No Check, Online, Offline |
| Revocation Flag | Which X509 certificates in chain to check for revocation | Entire Chain | Entire Chain, End Certificate Only, Exclude Root |
| Enhanced Revocation Checking | Enable advanced revocation monitoring with detailed CRL/OCSP diagnostics. Master switch controls all sub-options below | ✅ Enabled | - |
| Alert on Expired CRL | Generate alerts when Certificate Revocation List (CRL) is past its NextUpdate date | ✅ Enabled | - |
| Alert on OCSP Responder Failure | Generate alerts when Online Certificate Status Protocol (OCSP) responder unavailable or unreachable | ✅ Enabled | - |
| OCSP Timeout Threshold (ms) | Alert if OCSP response takes longer than threshold in milliseconds | 5000 ms (5 seconds) | 1000-30000 ms |
Private Key Health Tab
Monitor certificate private keys for presence, accessibility, and security risks.
Tip
For detailed information about private key monitoring, see Private Key Health. For testing scenarios with PowerShell scripts, see FAQ: Private Key Health Testing.
Private Key Health tab for key monitoring settings.
| Setting | Description | Default | Notes |
|---|---|---|---|
| Monitor Private Key Health | Enable monitoring of private key presence, accessibility, and security posture | ✅ Enabled | - |
| Alert on Missing Private Key (Personal/My Store Only) | Generate ERROR when certificate in Personal/My store lacks private key. Applies to: (1) Local Machine → Personal (My) if monitored, (2) Agent Service Account → Personal (My) if monitored, (3) Impersonated Users → Personal (My) if monitored. Root CA and intermediate CA certificates excluded | ❌ Disabled | At least one Personal/My store must be enabled in Store Name (Folders) or User Accounts tabs |
| Alert on Exportable Private Key (Security Risk) | Generate WARNING when private key is marked as exportable (applies to all stores). Exportable keys can be stolen | ❌ Disabled | Security risk indicator |
| Minimum Private Key Length (bits) | Generate WARNING when key length is below this value (applies to all stores). Recommended: 2048 for RSA, 256 for ECDSA | 2048 bits | Valid range: 1024-16384 |
Cryptography Tab
Detect certificates using deprecated or weak cryptographic algorithms.
Tip
For detailed information about weak cryptography detection, see Weak Cryptography Detection. For testing scenarios with PowerShell scripts, see FAQ: Weak Cryptography Testing.
Cryptography tab for weak algorithm detection.
| Setting | Description | Default | Notes |
|---|---|---|---|
| Detect Weak Cryptography | Monitor certificate signature algorithms and public key strength to detect deprecated or insecure cryptographic standards | ✅ Enabled | - |
| Alert on MD5 Signatures | Generate ERROR when certificate uses MD5 hash algorithm which is cryptographically broken and insecure (applies to all stores) | ✅ Enabled | - |
| Alert on SHA-1 Signatures | Generate WARNING/ERROR when certificate uses deprecated SHA-1 hash algorithm. ERROR if issued after 2017-01-01, WARNING if issued before (applies to all stores) | ✅ Enabled | - |
| Alert on Weak RSA Keys | Generate ERROR when RSA public key size is below minimum threshold. Modern browsers reject RSA keys < 2048 bits (applies to all stores) | ✅ Enabled | - |
| Minimum RSA Public Key Size (bits) | Alert when RSA public key size is below this value (applies to all stores). NIST recommendation: 2048 bits minimum, 3072 bits recommended | 2048 bits | Valid range: 1024-16384 |
| Minimum ECC Public Key Size (bits) | Alert when ECC (Elliptic Curve) public key size is below this value (applies to all stores). NIST recommendation: 256 bits minimum | 256 bits | Valid range: 160-521 |
Chain Validation Tab
Enable detailed chain validation with 20+ specific error types.
Tip
For detailed information about chain validation, see Chain Validation.
Chain Validation tab for trust chain verification.
Note
Understanding Chain vs Revocation: Chain Validation verifies the trust path (root CA, intermediates, certificates) while Revocation Monitoring checks if certificates have been invalidated before expiration. Both work together but serve different purposes. Chain validation can detect revocation issues during chain building, while revocation monitoring provides proactive infrastructure health (CRL freshness, OCSP responder availability).
| Setting | Description | Default | Notes |
|---|---|---|---|
| Enhanced Chain Validation | Perform detailed certificate chain validation with categorized error reporting and actionable recommendations. Master switch controls all sub-options below | ✅ Enabled | - |
| Alert on Untrusted Root Certificates | Generate alerts when root CA certificate is not in Trusted Root Certification Authorities store | ✅ Enabled | - |
| Alert on Partial Chains (Missing Intermediates) | Generate alerts when intermediate CA certificates are missing from chain. Most common configuration error | ✅ Enabled | - |
| Alert on Expired Intermediate Certificates | Generate alerts when intermediate CA certificates in chain have expired | ✅ Enabled | Can be overridden per certificate for legacy chains |
| Alert on Revocation Check Failures | Controls alert severity when chain validation encounters revocation errors. When enabled (default), revocation failures (RevocationStatusUnknown, OfflineRevocation) generate WARNING alerts. When disabled, revocation failures are ignored during chain validation | ✅ Enabled | Different from Revocation Tab Enhanced Revocation Checking which monitors CRL/OCSP infrastructure health |
| Allow Self-Signed Certificates (Dev/Test) | Reduce alert severity for self-signed certificates. Treats UntrustedRoot as WARNING instead of ERROR - useful in development/test environments where self-signed certs are expected | ❌ Disabled | Not recommended for production environments |
Purpose & EKU Tab
Validate that certificates match their intended purposes with Enhanced Key Usage (EKU) verification.
Tip
For detailed information about purpose validation, see Certificate Purpose and EKU.
Purpose & EKU tab for certificate usage validation.
| Setting | Description | Default | Notes |
|---|---|---|---|
| Validate Certificate Purpose & EKU | Validate certificates have appropriate Enhanced Key Usage (EKU) extensions and Key Usage flags. Master switch controls all sub-options below | ✅ Enabled | - |
| Alert on Missing Key Usage Extension | Generate WARNING when certificate lacks Key Usage extension. May cause compatibility issues with some applications | ✅ Enabled | - |
| Alert on 'Any Purpose' EKU (Security Risk) | Generate WARNING when certificate uses 'Any Purpose' EKU (2.5.29.37.0) which is overly permissive and violates least privilege principle | ✅ Enabled | - |
| Require Server Auth EKU for Detected Web Certificates | When enabled, alerts if certificate appears to be for web/SSL use (Personal store + private key + web naming patterns) but lacks Server Authentication EKU (1.3.6.1.5.5.7.3.1). Auto-detects based on store location and naming | ✅ Enabled | - |
| Require Code Signing EKU for Detected Code Signing Certificates | When enabled, alerts if certificate appears to be for code signing (contains 'Code Signing' in name) but lacks Code Signing EKU (1.3.6.1.5.5.7.3.3). Auto-detects based on naming patterns | ✅ Enabled | - |
| Skip EKU Validation for CA Certificates (Root/Intermediate) | When enabled, skips Key Usage extension checks for certificates in Root or CA stores. CA certificates don't typically have end-entity EKUs and this prevents false warnings | ✅ Enabled | - |
IIS Bindings Tab
Monitor IIS certificate bindings and detect mismatches, missing certificates, and binding issues.
Tip
For detailed information about IIS binding monitoring, see IIS Binding and SAN Monitoring. For testing scenarios with PowerShell scripts, see FAQ: IIS Binding and SAN Monitoring.
Note
Opt-In Feature: Disabled by default. Only enable if server runs IIS. Gracefully degrades if IIS not installed.
IIS Bindings tab for HTTPS binding validation.
| Setting | Description | Default | Notes |
|---|---|---|---|
| Monitor IIS Certificate Bindings | Cross-reference IIS HTTPS bindings with installed certificates. Requires IIS installed on monitored server. Gracefully skips if IIS not detected. Uses existing Warning/Error TimeSpan thresholds for expiration alerts | ❌ Disabled | Opt-in feature |
| Alert on Missing Bound Certificate (Orphaned Binding) | Generate ERROR when IIS HTTPS binding references certificate that does not exist in certificate store. Indicates broken HTTPS configuration that will fail at runtime | ✅ Enabled | Can be overridden per certificate |
| Alert on Expired Bound Certificate | Generate ERROR/WARNING when certificate bound to IIS HTTPS site is expired or expiring soon. Uses existing Warning/Error TimeSpan thresholds configured in General tab | ✅ Enabled | Can be overridden per certificate |
| Alert on Hostname Mismatch | Generate WARNING when IIS binding hostname does not match certificate's Subject or Subject Alternative Names (SAN). Supports wildcard certificates (*.example.com) | ✅ Enabled | Can be overridden per certificate |
Duplicates Tab
Detect multiple certificates with identical Subject and SAN combinations.
Tip
For detailed information about duplicate detection, see Duplicate Certificate Detection.
Duplicates tab for duplicate certificate detection.
| Setting | Description | Default | Notes |
|---|---|---|---|
| Detect Duplicate Certificates | Detect multiple certificates with identical Subject + SAN combination (different thumbprints). Helps identify renewal confusion or misconfigurations | ✅ Enabled | - |
| Alert on Duplicates with Private Keys (Higher Severity) | Generate ERROR when multiple certificates with same Subject+SAN both have private keys. More serious as it creates ambiguous certificate selection for applications | ✅ Enabled | - |
| Alert on Duplicates Across Different Stores | Generate WARNING when duplicate certificates found in different certificate stores (e.g., LocalMachine\My and CurrentUser\My). Can cause confusion about which certificate is being used | ✅ Enabled | - |
| Maximum Allowed Duplicates | Alert when number of certificates with same Subject+SAN exceeds this threshold. Default: 1 (alert when more than 1 certificate exists). Set to 2 to allow old+new during renewal overlap | 1 | Range: 1-10 |
For information about saving configuration changes and adding the Windows Server Monitoring Agent Configuration, see:
Next Step
Add or manage a Monitoring Agent Configuration
Add or manage Monitor View
Certificate Remote Actions