If you manage a Windows Certificate Authority, you’ll probably want to setup email notifications when certain events happen within your PKI. For example, services start/stop, a certificate gets issued, a certificate gets revoked, a certificate request is pending, etc. Without email notifications, a Certificate Authority Manager would need to periodically check the CA for new events. Setting up email alerts can all be done in a command line interface, but we’ll provide a batch script where you just need to configure a few parameters and run it as an administrator on your Certification Authority servers.
How To Setup Email Notifications For Windows Certificate Authority Events
Below you’ll find a batch script which you can edit for your convenience. The items in bold are the required parameters to make the script function.
REM =================Begin Batch File ================== @echo off set emailfrom="[email protected]" set emailto="[email protected]" :Setup_SMTP_Server // Section for setting the name of the exchange server to be used and type of authentication to be used. 1 means to use NTLM, 2 means to user Kerberos, 0 is for Basic authentication certutil -setreg exit\smtp\SMTPServer "mail.yourdomain.com" certutil -setreg exit\smtp\SMTPAuthenticate 0 REM If you need to authenticate to the above SMTP server, set the Username (in quotes) and the password to authenticate with REM certutil -setsmtpinfo -p" " :Setup_CA_For_Exit_Module // Section for turning events on or off. In this case, on. certutil -setreg exit\smtp\eventfilter +EXITEVENT_CRLISSUED certutil -setreg exit\smtp\eventfilter +EXITEVENT_CERTDENIED certutil -setreg exit\smtp\eventfilter +EXITEVENT_CERTISSUED certutil -setreg exit\smtp\eventfilter +EXITEVENT_CERTPENDING certutil -setreg exit\smtp\eventfilter +EXITEVENT_CERTUNREVOKED certutil -setreg exit\smtp\eventfilter +EXITEVENT_CERTRETRIEVEPENDING certutil -setreg exit\smtp\eventfilter +EXITEVENT_CERTREVOKED certutil -setreg exit\smtp\eventfilter +EXITEVENT_SHUTDOWN certutil -setreg exit\smtp\eventfilter +EXITEVENT_STARTUP :CrlIssued // Section for setting CRLIssued parameters. certutil -setreg exit\smtp\CRLissued\To %emailto% certutil -setreg exit\smtp\CRLissued\From %emailfrom% :Denied // Section for setting Denied parameters certutil -setreg exit\smtp\templates\default\Denied\From %emailfrom% certutil -setreg exit\smtp\templates\default\Denied\To %emailto% :Certificate_Issued // Section for setting Issued parameters. certutil -setreg exit\smtp\templates\default\Issued\From %emailfrom% certutil -setreg exit\smtp\templates\default\Issued\To %emailto% :Certificate_Pending // Section for setting Pending parameters. Certutil -setreg exit\smtp\templates\default\Pending\To %emailto% certutil -setreg exit\smtp\templates\default\Pending\From %emailfrom% :Certificate_Revoked // Section for setting Revoked parameters. certutil -setreg exit\smtp\templates\default\Revoked\From %emailfrom% certutil -setreg exit\smtp\templates\default\Revoked\To %emailto% :Certificate_Revoked // Section for setting UnRevoked parameters. certutil -setreg exit\smtp\templates\default\unRevoked\From %emailfrom% certutil -setreg exit\smtp\templates\default\unRevoked\To %emailto% :Certificate_Revoked // Section for setting Retrieve Pending parameters. certutil -setreg exit\smtp\templates\default\retrievepending\From %emailfrom% certutil -setreg exit\smtp\templates\default\retrievepending\To %emailto% :Certificate_Authority_Shutdown // Section for setting Shutdown parameters. certutil -setreg exit\smtp\Shutdown\To %emailto% certutil -setreg exit\smtp\Shutdown\From %emailfrom% :Certificate_Authority_Startup // Section for setting Startup parameters. certutil -setreg exit\smtp\Startup\To %emailto% certutil -setreg exit\smtp\Startup\From %emailfrom% net stop certsvc & net start certsvc echo Certificate Services SMTP Exit module has now been configured. pause REM ============ End Batch File ===============
In the script above, you’ll need to set the emailfrom and emailto. Next, you’ll need to set the SMTP server that can relay emails from your Certification Authority server. You may need to configure your email server to allow relays from the CA’s IP address. Finally, you’ll need to set the SMTPAuthenticate to the appropriate value based on your SMTP relay requirements.
If there are any events you don’t want to be notified about, you can comment out or remove all of the certutil -setreg lines pertaining to those events.
After you’ve edited the script, save it as a .bat file. On your Certificate Authority server, right-click on the .bat script and select Run As Administrator. The Certificate Authority services will stop and start during the configuration.
Anything for certificates about to expire?