- 11 minutes to read

FAQ - Chain Validation Testing Scenarios

Validate Chain Validation monitoring with automated PowerShell test scripts covering all detection scenarios - from untrusted roots and partial chains (ERROR) to revocation check failures (WARNING) and valid certificate chains (OK).

What's on This Page:

  • 6 Test Scenarios - Automated PowerShell 7 scripts for UntrustedRoot, PartialChain, NotTimeValid, RevocationStatusUnknown, Dev Mode, and Complete Valid Chain
  • Batch Testing Script - Create all test scenarios with configurable flags and error handling
  • Cleanup Script - Remove test certificates after validation testing
  • Validation Checklist - Verify expected monitoring states match actual results
  • Troubleshooting - Resolve testing-specific issues (PowerShell errors, chain building)

Why Test Chain Validation?

Chain validation testing prevents certificate trust failures from causing production outages. Testing ensures monitoring correctly identifies:

  • UntrustedRoot errors (ERROR) - Root CA not in trusted store causes application failures
  • PartialChain errors (ERROR) - Missing intermediate certificates break trust validation
  • NotTimeValid errors (ERROR) - Expired intermediates invalidate entire certificate chains
  • ⚠️ RevocationStatusUnknown warnings (WARNING) - CRL/OCSP unreachable, potential security gap
  • Valid chains (OK) - Complete, trusted certificate chains validate successfully

Related Documentation: See Chain Validation for complete feature documentation, detection examples, and remediation guidance.

Note

These scripts require PowerShell 7+ with Administrator privileges for certificate store access.

Warning

Never deploy test certificates to production environments. Always clean up after validation testing.

Chain Validation Example
Chain validation showing inline error diagnostics with specific chain errors and remediation recommendations.

Testing Scenarios Overview

# Scenario Purpose Expected State Key Focus
1 Untrusted Root Certificate Self-signed cert not in trusted store Critical UntrustedRoot chain error
2 Partial Chain (Missing Intermediate) Certificate without intermediate CA Critical PartialChain chain error
3 Expired Intermediate Certificate Expired intermediate breaks chain Critical NotTimeValid chain error
4 Revocation Check Failure CRL/OCSP unreachable ⚠️ Warning RevocationStatusUnknown
5 Valid Chain with Dev Mode Self-signed with AllowSelfSigned=true ⚠️ Warning Dev mode severity reduction
6 Complete Valid Chain Properly configured certificate chain OK All chain validation checks pass

Test Scenario Workflow

graph TD Start[" Start Testing"] --> Config[" Configure Scenarios"] Config --> S1{" Scenario 1<br/>UntrustedRoot"} Config --> S2{" Scenario 2<br/>PartialChain"} Config --> S3{" Scenario 3<br/>Expired Intermediate"} Config --> S4{" Scenario 4<br/>Revocation Failure"} Config --> S5{" Scenario 5<br/>Dev Mode"} Config --> S6{" Scenario 6<br/>Valid Chain"} S1 --> V1[" Critical"] S2 --> V2[" Critical"] S3 --> V3[" Critical"] S4 --> V4[" Warning"] S5 --> V5[" Warning"] S6 --> V6[" OK"] V1 --> Monitor[" Monitor Results"] V2 --> Monitor V3 --> Monitor V4 --> Monitor V5 --> Monitor V6 --> Monitor Monitor --> Validate[" Validate Alerts"] Validate --> Cleanup[" Cleanup Test Certs"] Cleanup --> End[" Testing Complete"] style S1 fill:#ffebee style S2 fill:#ffebee style S3 fill:#ffebee style S4 fill:#fff3e0 style S5 fill:#e3f2fd style S6 fill:#e8f5e9 style V1 fill:#ffcdd2 style V2 fill:#ffcdd2 style V3 fill:#ffcdd2 style V4 fill:#ffe0b2 style V5 fill:#bbdefb style V6 fill:#c8e6c9

Diagram: Chain validation test workflow showing scenario configuration, expected states, and monitoring verification process with color-coded severity levels.

Test Scenarios

Scenario 1: Untrusted Root Certificate

Purpose: Validate monitoring detection of self-signed certificates with root CA not in trusted store.

Configuration:

Setting Value Rationale
Certificate Type Self-signed Creates UntrustedRoot error
Subject CN=TestCert-UntrustedRoot Clearly identifies test purpose
Store Location Cert:\LocalMachine\My Standard personal certificate store
Key Length 2048-bit RSA Minimum secure key size
Validity Period 90 days Short validity for test certificates
Key Usage DigitalSignature, KeyEncipherment Standard SSL/TLS usage

Expected Results:

Aspect Value
Chain Error UntrustedRoot
State Critical (default) or ⚠️ Warning (if AllowSelfSignedCertificates=true)
Detection Root CA not found in Trusted Root Certification Authorities store
Alert "Untrusted root certificate detected" (if enabled)
Remediation Install root CA to trusted store OR enable dev mode for testing

Scenario 2: Partial Chain (Missing Intermediate)

Purpose: Validate detection of incomplete certificate chains with missing intermediate CA.

Configuration:

Setting Value Rationale
Chain Structure Root CA → Intermediate CA → End Entity Multi-level trust chain
Action Remove intermediate CA after creation Simulates missing intermediate
Subject CN=TestCert-PartialChain Identifies test scenario
Store Location Cert:\LocalMachine\My Personal certificate store
Key Length 2048-bit RSA Secure key size
Validity 90 days (end entity), 180 days (intermediate) Test certificate lifetimes

Expected Results:

Aspect Value
Chain Error PartialChain
State Critical
Detection Intermediate CA missing from chain path
Alert "Missing intermediate certificate(s) in chain"
Remediation Download and install missing intermediate CA certificate

Scenario 3: Expired Intermediate Certificate

Purpose: Validate detection of expired intermediate CA certificates breaking the chain.

Configuration:

Setting Value Rationale
Chain Structure Root CA (valid) → Intermediate CA (expired) → End Entity (valid) Mixed validity states
Intermediate Expiration Already expired OR expires during test Simulates NotTimeValid error
Subject CN=TestCert-ExpiredIntermediate Identifies test scenario
Store Location Cert:\LocalMachine\My Personal certificate store
Root Validity 365 days Long-lived root CA
End Entity Validity 90 days Standard certificate lifetime

Expected Results:

Aspect Value
Chain Error NotTimeValid
State Critical
Detection Expired intermediate CA in chain
Alert "Certificate chain contains expired certificate"
Remediation Renew expired intermediate CA certificate

Scenario 4: Revocation Check Failure

Purpose: Validate WARNING state when CRL/OCSP endpoints are unreachable.

Configuration:

Setting Value Rationale
CRL Distribution Point Invalid/unreachable URL Simulates network/firewall issue
OCSP Responder Invalid/unreachable URL Backup revocation method also fails
Subject CN=TestCert-RevocationFailure Identifies test scenario
Store Location Cert:\LocalMachine\My Personal certificate store
ValidateRevocation true Must be enabled to trigger check

Expected Results:

Aspect Value
Chain Error RevocationStatusUnknown
State ⚠️ Warning
Detection Cannot contact CRL/OCSP endpoints
Alert "Unable to verify certificate revocation status"
Remediation Verify network connectivity, check firewall rules, ensure CRL/OCSP accessible

Scenario 5: Valid Chain with Dev Mode

Purpose: Validate AllowSelfSignedCertificates configuration downgrades UntrustedRoot to WARNING.

Configuration:

Setting Value Rationale
Certificate Type Self-signed Would normally be UntrustedRoot
Config Setting AllowSelfSignedCertificates=true Development/test mode enabled
Subject CN=TestCert-DevMode Identifies test scenario
Store Location Cert:\LocalMachine\My Personal certificate store
Environment Development/Test ONLY Never use in production

Expected Results:

Aspect Value
Chain Error UntrustedRoot (detected but severity reduced)
State ⚠️ Warning (instead of ❌ Critical)
Detection Self-signed certificate in dev/test mode
Alert "Self-signed certificate detected (dev mode)"
Note Configuration explicitly allows self-signed certs for testing

Scenario 6: Complete Valid Chain

Purpose: Validate monitoring correctly identifies healthy certificates with complete, trusted chains.

Configuration:

Setting Value Rationale
Certificate Type CA-issued OR properly configured self-signed chain Complete trust path
Chain Structure Root CA (trusted) → Intermediate CA → End Entity All certificates valid and trusted
Subject CN=TestCert-ValidChain Identifies test scenario
Store Location Cert:\LocalMachine\My (end entity), Cert:\LocalMachine\CA (intermediate), Cert:\LocalMachine\Root (root) Proper certificate placement
All Certificates Valid (not expired, not revoked) No chain errors
Trust Root CA in Trusted Root store Complete trust chain

Expected Results:

Aspect Value
Chain Error None
State OK
Detection Complete, trusted certificate chain with all validation checks passing
Alert No alert (healthy certificate)
Characteristics All certificates time-valid, trusted root, revocation checks pass, no policy violations

Batch Testing Script

Purpose: Create all 5 test scenarios with a single PowerShell script.

# Chain Validation Testing - Batch Script
# Creates all 6 test scenarios for chain validation monitoring
#
# Requires: PowerShell 7+, Administrator privileges
# Usage: .\Test-ChainValidation.ps1 -Scenarios 1,2,3,4,5,6

param(
    [int[]]$Scenarios = @(1,2,3,4,5,6),  # Which scenarios to create
    [switch]$Verbose                      # Show detailed output
)

Write-Host "=" * 70 -ForegroundColor Cyan
Write-Host "Chain Validation Test Suite" -ForegroundColor Cyan
Write-Host "==" * 70 -ForegroundColor Cyan
Write-Host ""

# Scenario 1: UntrustedRoot
if (1 -in $Scenarios) {
    Write-Host "[1/5] Creating UntrustedRoot scenario..." -ForegroundColor Yellow
    $cert1 = New-SelfSignedCertificate `
        -Subject "CN=TestCert-UntrustedRoot, O=Nodinite Chain Testing" `
        -CertStoreLocation "Cert:\LocalMachine\My" `
        -KeyLength 2048 -NotAfter (Get-Date).AddDays(90)
    Write-Host "  ✓ Created: $($cert1.Thumbprint)" -ForegroundColor Green
}

# Scenario 2: PartialChain
if (2 -in $Scenarios) {
    Write-Host "[2/5] Creating PartialChain scenario..." -ForegroundColor Yellow
    $root2 = New-SelfSignedCertificate -Subject "CN=Test Root CA" -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage CertSign -NotAfter (Get-Date).AddDays(365)
    $int2 = New-SelfSignedCertificate -Subject "CN=Test Intermediate CA" -Signer $root2 -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage CertSign -NotAfter (Get-Date).AddDays(180)
    $cert2 = New-SelfSignedCertificate -Subject "CN=TestCert-PartialChain" -Signer $int2 -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter (Get-Date).AddDays(90)
    Remove-Item "Cert:\LocalMachine\My\$($int2.Thumbprint)" -Force  # Create partial chain
    Write-Host "  ✓ Created: $($cert2.Thumbprint) (intermediate removed)" -ForegroundColor Green
}

# Scenario 3: NotTimeValid (Expired Intermediate)
if (3 -in $Scenarios) {
    Write-Host "[3/5] Creating NotTimeValid scenario..." -ForegroundColor Yellow
    Write-Host "  ⚠ Note: Requires pre-created expired certificate or manual expiration" -ForegroundColor Yellow
    # This scenario typically requires importing an expired certificate
    # Or using certificate backdating tools not available in standard PowerShell
}

# Scenario 4: RevocationStatusUnknown
if (4 -in $Scenarios) {
    Write-Host "[4/5] Creating RevocationStatusUnknown scenario..." -ForegroundColor Yellow
    $cert4 = New-SelfSignedCertificate `
        -Subject "CN=TestCert-RevocationFailure, O=Nodinite Chain Testing" `
        -CertStoreLocation "Cert:\LocalMachine\My" `
        -KeyLength 2048 -NotAfter (Get-Date).AddDays(90) `
        -Extension @(
            [System.Security.Cryptography.X509Certificates.X509Extension]::new(
                "2.5.29.31",  # CRL Distribution Points
                [Convert]::FromBase64String("MGYwZKBioGCGXmh0dHA6Ly9pbnZhbGlkLXVybC1mb3ItdGVzdGluZy5leGFtcGxlL2NybA=="),
                $false
            )
        )
    Write-Host "  ✓ Created: $($cert4.Thumbprint)" -ForegroundColor Green
}

# Scenario 5: Dev Mode (Self-Signed with AllowSelfSignedCertificates)
if (5 -in $Scenarios) {
    Write-Host "[5/6] Creating Dev Mode scenario..." -ForegroundColor Yellow
    $cert5 = New-SelfSignedCertificate `
        -Subject "CN=TestCert-DevMode, O=Nodinite Chain Testing" `
        -CertStoreLocation "Cert:\LocalMachine\My" `
        -KeyLength 2048 -NotAfter (Get-Date).AddDays(90)
    Write-Host "  ✓ Created: $($cert5.Thumbprint)" -ForegroundColor Green
    Write-Host "  ⚠ Set AllowSelfSignedCertificates=true in agent config" -ForegroundColor Yellow
}

# Scenario 6: Complete Valid Chain
if (6 -in $Scenarios) {
    Write-Host "[6/6] Creating Complete Valid Chain scenario..." -ForegroundColor Yellow
    # Create root CA and install to Trusted Root store
    $root6 = New-SelfSignedCertificate -Subject "CN=Test Trusted Root CA" -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage CertSign -NotAfter (Get-Date).AddYears(5)
    $root6Path = "Cert:\LocalMachine\My\$($root6.Thumbprint)"
    Move-Item $root6Path "Cert:\LocalMachine\Root"  # Move to Trusted Root store
    
    # Create intermediate CA and install to Intermediate store
    $int6 = New-SelfSignedCertificate -Subject "CN=Test Trusted Intermediate CA" -Signer $root6 -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage CertSign -NotAfter (Get-Date).AddYears(2)
    $int6Path = "Cert:\LocalMachine\My\$($int6.Thumbprint)"
    Move-Item $int6Path "Cert:\LocalMachine\CA"  # Move to Intermediate store
    
    # Create end-entity certificate signed by intermediate
    $cert6 = New-SelfSignedCertificate -Subject "CN=TestCert-ValidChain" -Signer $int6 -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter (Get-Date).AddDays(365)
    Write-Host "  ✓ Created complete chain: $($cert6.Thumbprint)" -ForegroundColor Green
    Write-Host "  ✓ Root CA installed to Trusted Root store" -ForegroundColor Green
    Write-Host "  ✓ Intermediate CA installed to CA store" -ForegroundColor Green
}

Write-Host ""
Write-Host "=" * 70 -ForegroundColor Cyan
Write-Host "Test certificate creation complete!" -ForegroundColor Green
Write-Host "Next: Monitor results in Nodinite Web Client" -ForegroundColor Cyan
Write-Host "=" * 70 -ForegroundColor Cyan

Cleanup Script

Purpose: Remove all test certificates after validation testing.

# Chain Validation Cleanup Script
# Removes all test certificates created by the batch testing script
#
# Requires: PowerShell 7+, Administrator privileges
# Usage: .\Cleanup-ChainValidation.ps1

Write-Host "Removing Chain Validation test certificates..." -ForegroundColor Cyan

# Find and remove test certificates
$testCerts = Get-ChildItem Cert:\LocalMachine\My | Where-Object {
    $_.Subject -like "*Nodinite Chain Testing*" -or
    $_.Subject -like "CN=TestCert-*" -or
    $_.Subject -like "CN=Test Root CA*" -or
    $_.Subject -like "CN=Test Intermediate CA*"
}

if ($testCerts.Count -eq 0) {
    Write-Host "No test certificates found." -ForegroundColor Yellow
} else {
    Write-Host "Found $($testCerts.Count) test certificate(s)" -ForegroundColor White
    foreach ($cert in $testCerts) {
        Write-Host "  Removing: $($cert.Subject) [$($cert.Thumbprint)]" -ForegroundColor Gray
        Remove-Item "Cert:\LocalMachine\My\$($cert.Thumbprint)" -Force
    }
    Write-Host "✓ Cleanup complete!" -ForegroundColor Green
}

Chain Validation Verification

After creating test certificates, verify Nodinite monitoring detects chain errors correctly:

  1. Wait for discovery - Allow 1-2 synchronization cycles (5-10 minutes default)
  2. Check Web Client - Navigate to Windows Server certificate monitoring
  3. Verify states - Confirm each test certificate shows expected state (Critical/Warning/OK)
  4. Check inline errors - Expand chain validation to see specific error details
  5. Test alerts - If enabled, verify alerts triggered for configured error types

Expected Timeline:

Time Event
T+0 Test certificates created
T+5 min First synchronization cycle discovers certificates
T+5 min Chain validation executes, errors detected
T+5 min Alerts generated (if enabled)
T+10 min Results visible in Web Client

Frequently Asked Questions

Q: Why do I get script errors when running the PowerShell test scripts?
A: These scripts require PowerShell 7 or later with Administrator privileges. Verify your PowerShell version by running $PSVersionTable.PSVersion - it should show 7.x or higher. PowerShell 5.1 (Windows PowerShell) has limitations with certificate chain manipulation. Download PowerShell 7+ from Microsoft's official site. Additionally, certificate chain operations require Administrator rights to access Cert:\LocalMachine stores.

Q: How do I validate Certificate Chain Validation with Nodinite?
A: Run the Batch Testing Script (see section above) on your Windows Server to create test scenarios for UntrustedRoot, PartialChain, NotTimeValid, RevocationStatusUnknown, and Dev Mode configurations. The Nodinite monitoring agent will automatically discover these certificates during its next synchronization cycle and validate their chains according to configured policies. Review the monitoring results in the Nodinite Web Client to verify each certificate shows the expected chain validation state with inline error diagnostics.

Q: How do I enable Enhanced Chain Validation in Nodinite?
A: Enable the "Enhanced Chain Validation" feature in the Windows Server Monitoring Agent configuration. See the comprehensive Certificate Configuration guide for step-by-step instructions on enabling validation, configuring alert preferences for each error category (UntrustedRoot, PartialChain, RevocationStatusUnknown), setting AllowSelfSignedCertificates for dev/test environments, and adjusting cache duration for performance optimization.

Next Steps

Run Chain Validation Test Scripts - Execute batch testing scenarios
Verify Enhanced Chain Validation - Confirm expected error categorization
Clean Up Test Certificates - Remove test certificates after validation

Certificate Overview
Certificate Monitoring
Certificate Configuration
FAQ: Certificate Testing Scenarios
FAQ: Weak Cryptography Testing Scenarios
FAQ: Certificates for gMSA Accounts