- 8 minutes to read

FAQ - Certificate Purpose and EKU Testing Scenarios

Validate Certificate Purpose and EKU monitoring with automated PowerShell test scripts covering all detection scenarios - from properly scoped single-purpose certificates (OK) to security risks like "Any Purpose" certificates (ERROR) and multi-purpose configurations (WARNING).

What's on This Page:

  • 6 Test Scenarios - Config tables and validation points for Server Auth, Client Auth, Code Signing, Multi-Purpose, Any Purpose, and Missing EKU
  • Batch Testing Script - Create all test certificates with a signed Root CA for chain validation
  • Cleanup and Diagnostic Script - Remove test certificates and diagnose leftover artifacts
  • Validation Checklist - Verify expected monitoring states match actual results
  • Troubleshooting - Resolve testing-specific issues (agent detection, configuration, PowerShell errors)

Why Test Certificate Purpose?

Certificate purpose validation prevents security risks from overly permissive certificates. Testing ensures monitoring correctly identifies:

  • Any Purpose certificates (ERROR) - Can be used for ANY operation if compromised
  • ⚠️ Multi-purpose certificates (WARNING) - Broader attack surface than needed
  • ⚠️ Missing Key Usage (WARNING) - Unclear purpose, potential compatibility issues
  • Single-purpose certificates (OK) - Properly scoped, follows least privilege

Related Documentation: See Certificate Purpose and EKU for complete feature documentation, security context, detection examples, and best practices.

Note

These scripts require PowerShell 7+ with Administrator privileges for certificate store access.

Warning

Never deploy test certificates to production environments. Always clean up after validation testing.

Certificate Purpose Validation Example
Certificate purpose validation showing Enhanced Key Usage extensions and security assessment results.

Testing Scenarios Overview

# Scenario Purpose Expected State Key Focus
1 Server Authentication SSL/TLS server certificates OK Server Auth EKU (1.3.6.1.5.5.7.3.1)
2 Client Authentication Client auth & mTLS OK Client Auth EKU (1.3.6.1.5.5.7.3.2)
3 Code Signing Software & script signing OK Code Signing EKU (1.3.6.1.5.5.7.3.3)
4 Multi-Purpose Multiple EKUs (broader scope) Warning Server + Client Auth combined
5 Any Purpose Overly permissive certificate Critical Any Purpose EKU (2.5.29.37.0)
6 Missing EKU No Extended Key Usage extension Warning No EKU extension defined

Test Scenario Workflow

graph TD Start[Start Testing] --> Config[Configure Scenarios] Config --> S1{Scenario 1 Server Auth} Config --> S2{Scenario 2 Client Auth} Config --> S3{Scenario 3 Code Signing} Config --> S4{Scenario 4 Multi-Purpose} Config --> S5{Scenario 5 Any Purpose} Config --> S6{Scenario 6 Missing EKU} S1 --> V1[OK] S2 --> V2[OK] S3 --> V3[OK] S4 --> V4[Warning] S5 --> V5[Critical] S6 --> V6[Warning] V1 --> Monitor[Monitor Results] V2 --> Monitor V3 --> Monitor V4 --> Monitor V5 --> Monitor V6 --> Monitor Monitor --> Validate[Validate Alerts] Validate --> Cleanup[Cleanup Test Certs] Cleanup --> End[Testing Complete] style S1 fill:#e3f2fd style S2 fill:#e3f2fd style S3 fill:#e3f2fd style S4 fill:#fff3e0 style S5 fill:#ffebee style S6 fill:#fff3e0 style V1 fill:#c8e6c9 style V2 fill:#c8e6c9 style V3 fill:#c8e6c9 style V4 fill:#ffe0b2 style V5 fill:#ffcdd2 style V6 fill:#ffe0b2

Diagram: Full testing workflow from scenario configuration through certificate creation, monitoring validation, and cleanup.

Test Scenarios

Scenario 1: Server Authentication

Purpose: Validate SSL/TLS server certificate monitoring with proper Server Authentication EKU.

Setting Value Rationale
EKU Server Authentication (1.3.6.1.5.5.7.3.1) Single-purpose EKU for HTTPS/TLS servers - follows least privilege principle
Key Usage DigitalSignature, KeyEncipherment Required for SSL/TLS handshake and session key encryption
Store Local Machine Server certificates must be accessible to IIS/services running under system accounts
Expected State ✅ OK Properly scoped certificate should pass validation without warnings

Tip

Using certificates with IBM MQ? IBM MQ has version-specific certificate storage: legacy agents (.NET Framework 4.8) use IBM MQ Key Database files (.kdb), while modern agents (.NET 9/10) support Windows Certificate Store. See IBM MQ SSL FAQ for conversion guidance.

Validation Points:

  • Server Auth EKU present and validated
  • Appropriate for IIS bindings, API endpoints, HTTPS services
  • No security warnings for properly scoped certificate

Scenario 2: Client Authentication

Purpose: Test client authentication certificate validation for mTLS and client auth scenarios.

Setting Value Rationale
EKU Client Authentication (1.3.6.1.5.5.7.3.2) Single-purpose EKU for client-side authentication (mTLS, VPN, smart cards)
Key Usage DigitalSignature Client certificates only need to sign authentication challenges
Store Local Machine All test certificates installed in LocalMachine\My for consistency
Expected State ✅ OK Properly scoped client certificate should pass validation

Validation Points:

  • Client Auth EKU properly configured
  • Suitable for mutual TLS, VPN client auth, smart card authentication
  • Single-purpose certificate with appropriate scope

Scenario 3: Code Signing

Purpose: Verify code signing certificate purpose validation.

Setting Value Rationale
EKU Code Signing (1.3.6.1.5.5.7.3.3) Single-purpose EKU for signing executables, scripts, and software packages
Key Usage DigitalSignature Code signing only requires ability to create digital signatures
Store Local Machine Shared code signing certificates accessible to build servers and deployment systems
Expected State ✅ OK Purpose-specific code signing certificate should validate successfully

Validation Points:

  • Code Signing EKU validated
  • Appropriate for PowerShell scripts, executables, MSI packages
  • Private key protection critical for code integrity

Scenario 4: Multi-Purpose

Purpose: Test detection of certificates with multiple EKU extensions (security concern).

Setting Value Rationale
EKU Server Authentication + Client Authentication Multiple EKUs create broader attack surface - violates least privilege
Key Usage DigitalSignature, KeyEncipherment Combined usage for both server and client operations
Store Local Machine System-wide store to demonstrate improper multi-purpose certificate deployment
Expected State ⚠️ Warning Should trigger warning for overly permissive certificate scope

Validation Points:

  • Multiple EKUs detected (broader attack surface)
  • Warning generated for multi-purpose usage
  • Violates principle of least privilege

Scenario 5: Any Purpose (Security Risk)

Purpose: Detect overly permissive "Any Purpose" certificates (critical security risk).

Setting Value Rationale
EKU Any Purpose (2.5.29.37.0) Unrestricted usage - can be used for ANY operation if compromised (maximum risk)
Key Usage DigitalSignature, KeyEncipherment Standard key usage combined with Any Purpose EKU creates security risk
Store Local Machine System-wide to demonstrate critical risk of "Any Purpose" in production
Expected State ❌ Critical Must trigger critical error for immediate remediation

Validation Points:

  • Any Purpose EKU (OID 2.5.29.37.0) flagged as critical security risk
  • Unrestricted usage enables maximum attack surface
  • Immediate remediation required (replace with purpose-specific certificate)

Scenario 6: Missing EKU

Purpose: Identify certificates without explicit Enhanced Key Usage (EKU) extensions.

Setting Value Rationale
EKU Not defined Missing EKU makes certificate purpose unclear and unpredictable
Key Usage Default (PowerShell adds automatically) PowerShell adds default Key Usage; omitting EKU creates undefined purpose
Store Local Machine System-wide store to test detection of incomplete certificate definitions
Expected State ⚠️ Warning Should trigger warning for undefined EKU - requires manual review

Note

PowerShell's New-SelfSignedCertificate cmdlet always adds default Key Usage values even when not specified. This scenario omits the -TextExtension parameter to create a certificate without an EKU extension. To create a certificate that truly lacks both Key Usage AND EKU extensions, use certreq.exe with a custom INF file that explicitly omits both extensions.

Validation Points:

  • Missing EKU extension detected
  • Warning for undefined certificate purpose
  • Requires manual review to determine intended usage

Batch Testing Script

The Batch Testing Script creates all 6 test scenarios in a single run, including a signed test Root CA for chain validation compatibility.

Tip

Chain Validation Compatible: The batch script creates a test Root CA installed to the Trusted Root store so chain validation passes automatically — no need to disable chain validation or enable dev mode.

What the script does:

  • Creates a test Root CA signed by itself (installed to LocalMachine\Root)
  • Issues all 6 test certificates signed by the test Root CA
  • Outputs a summary with thumbprint and expected monitoring state per certificate

→ View Full Batch Testing Script

Cleanup Script

The Cleanup and Diagnostic Script removes all test certificates and the test Root CA after validation.

Important

The cleanup script removes both the 6 test certificates (from LocalMachine\My) and the Nodinite Test Root CA (from LocalMachine\Root).

→ View Full Cleanup and Diagnostic Script

Usage Instructions

Running the Batch Script

  1. Open PowerShell 7 as Administrator and verify version: $PSVersionTable.PSVersion

  2. Configure Scenarios (optional): Edit the $scenarios hashtable to enable/disable specific tests

  3. Execute the script from Batch Testing Script

  4. Monitor Results: Wait for agent discovery (or force sync), then verify expected states match actual monitoring results

  5. Cleanup: Run the Cleanup and Diagnostic Script when testing is complete

Validation Checklist

  • Chain validation passes (all certs trusted via test Root CA)
  • ✅ Server Authentication shows OK state
  • ✅ Client Authentication shows OK state
  • ✅ Code Signing shows OK state
  • ⚠️ Multi-Purpose generates Warning alert
  • ❌ Any Purpose generates Critical alert
  • ⚠️ Missing EKU generates Warning alert

Frequently Asked Questions

Q: Why do I get script errors when running the PowerShell 7 test scripts?
A: These scripts require PowerShell 7 or later with Administrator privileges. Verify your PowerShell version by running $PSVersionTable.PSVersion — it should show 7.x or higher. PowerShell 5.1 (Windows PowerShell) does not support the -TextExtension parameter used for configuring Enhanced Key Usage extensions. Download PowerShell 7+ from Microsoft's official site.

Q: Will these test certificates trigger chain validation errors?
A: No — the batch script creates a test Root CA and automatically installs it to the Trusted Root Certification Authorities store. All 6 test certificates are signed by this CA, ensuring chain validation passes. The Cleanup and Diagnostic Script removes both the test certificates and the Root CA.

Q: How do I validate Certificate Purpose and EKU usage with Nodinite?
A: Run the Batch Testing Script on your Windows Server to create test certificates with different EKU configurations. The Nodinite monitoring agent will automatically discover these certificates during its next synchronization cycle. Review monitoring results in the Nodinite Web Client to verify each certificate shows the expected state.

Q: How do I enable Certificate Purpose and EKU validation in Nodinite?
A: Enable the "Validate Certificate Purpose" feature in the Windows Server Monitoring Agent configuration. See the Certificate Configuration guide for step-by-step instructions.