Share This Article:

Windows Certificate Authority Email Notifications

If you manage a Windows Certificate Authority, you’ll probably want to setup email notifications when certain events happen within your PKI. For example, services start/stop, a certificate gets issued, a certificate gets revoked, a certificate request is pending, etc. Without email notifications, a Certificate Authority Manager would need to periodically check the CA for new events. Setting up email alerts can all be done in a command line interface, but we’ll provide a batch script where you just need to configure a few parameters and run it as an administrator on your Certification Authority servers.

How To Setup Email Notifications For Windows Certificate Authority Events

Below you’ll find a batch script which you can edit for your convenience. The items in bold are the required parameters to make the script function.

REM =================Begin Batch File ==================
@echo off

set emailfrom=”
set emailto=”

:Setup_SMTP_Server // Section for setting the name of the exchange server to be used and type of authentication to be used. 1 means to use NTLM, 2 means to user Kerberos, 0 is for Basic authentication
certutil -setreg exit\smtp\SMTPServer “
certutil -setreg exit\smtp\SMTPAuthenticate 0
REM If you need to authenticate to the above SMTP server, set the Username (in quotes) and the password to authenticate with
REM certutil -setsmtpinfo -p

:Setup_CA_For_Exit_Module // Section for turning events on or off. In this case, on.
certutil -setreg exit\smtp\eventfilter +EXITEVENT_CRLISSUED
certutil -setreg exit\smtp\eventfilter +EXITEVENT_CERTDENIED
certutil -setreg exit\smtp\eventfilter +EXITEVENT_CERTISSUED
certutil -setreg exit\smtp\eventfilter +EXITEVENT_CERTPENDING
certutil -setreg exit\smtp\eventfilter +EXITEVENT_CERTUNREVOKED
certutil -setreg exit\smtp\eventfilter +EXITEVENT_CERTRETRIEVEPENDING
certutil -setreg exit\smtp\eventfilter +EXITEVENT_CERTREVOKED
certutil -setreg exit\smtp\eventfilter +EXITEVENT_SHUTDOWN
certutil -setreg exit\smtp\eventfilter +EXITEVENT_STARTUP

:CrlIssued // Section for setting CRLIssued parameters.
certutil -setreg exit\smtp\CRLissued\To %emailto%
certutil -setreg exit\smtp\CRLissued\From %emailfrom%

:Denied // Section for setting Denied parameters
certutil -setreg exit\smtp\templates\default\Denied\From %emailfrom%
certutil -setreg exit\smtp\templates\default\Denied\To %emailto%

:Certificate_Issued // Section for setting Issued parameters.
certutil -setreg exit\smtp\templates\default\Issued\From %emailfrom%
certutil -setreg exit\smtp\templates\default\Issued\To %emailto%

:Certificate_Pending // Section for setting Pending parameters.
Certutil -setreg exit\smtp\templates\default\Pending\To %emailto%
certutil -setreg exit\smtp\templates\default\Pending\From %emailfrom%

:Certificate_Revoked // Section for setting Revoked parameters.
certutil -setreg exit\smtp\templates\default\Revoked\From %emailfrom%
certutil -setreg exit\smtp\templates\default\Revoked\To %emailto%

:Certificate_Revoked // Section for setting UnRevoked parameters.
certutil -setreg exit\smtp\templates\default\unRevoked\From %emailfrom%
certutil -setreg exit\smtp\templates\default\unRevoked\To %emailto%

:Certificate_Revoked // Section for setting Retrieve Pending parameters.
certutil -setreg exit\smtp\templates\default\retrievepending\From %emailfrom%
certutil -setreg exit\smtp\templates\default\retrievepending\To %emailto%

:Certificate_Authority_Shutdown // Section for setting Shutdown parameters.
certutil -setreg exit\smtp\Shutdown\To %emailto%
certutil -setreg exit\smtp\Shutdown\From %emailfrom%

:Certificate_Authority_Startup // Section for setting Startup parameters.
certutil -setreg exit\smtp\Startup\To %emailto%
certutil -setreg exit\smtp\Startup\From %emailfrom%

net stop certsvc & net start certsvc
echo Certificate Services SMTP Exit module has now been configured.
REM ============ End Batch File ===============

In the script above, you’ll need to set the emailfrom and emailto. Next, you’ll need to set the SMTP server that can relay emails from your Certification Authority server. You may need to configure your email server to allow relays from the CA’s IP address. Finally, you’ll need to set the SMTPAuthenticate to the appropriate value based on your SMTP relay requirements.

If there are any events you don’t want to be notified about, you can comment out or remove all of the certutil -setreg lines pertaining to those events.

After you’ve edited the script, save it as a .bat file. On your Certificate Authority server, right-click on the .bat script and select Run As Administrator. The Certificate Authority services will stop and start during the configuration.

Share This Article:


Related Content