Thursday, July 12, 2012

How to Enable Notifications for Pending Certificate Requests

You can configure a Windows Certification Authority certificate template to require CA certificate manager approval, as shown below. 


With this configuration autoenrollment is disabled and the CA Manager must approve the certificate request before the certificate is issued.

Normally, CA managers need to check in periodically to see if there are any pending requests to approve or decline.  This article discusses how to enable email notifications when a certificate request is generated that requires approval.

First, my best practice is to create a mail-enabled security group in Active Directory called CA Managers.  Add the appropriate user objects to this group and assign that group Issue and Manage Certificates and Manage CA rights on the Certification Authority, as shown below:


Now we need to configure event logging for Certificate Services for verbose logging.  Run the following command from a CMD prompt on the CA:
certutil -setreg ca\loglevel 4
You must restart the Active Directory Certificate Services service (CertSvc) to affect the logging level change.  The CA will now log event ID 54 from source CertificationAuthority in the Application event log whenever a certificate request is generated.  For example,

Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Date:          7/12/2012 8:16:29 AM
Event ID:      54
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      dc1.companyabc.com
Description:
Active Directory Certificate Services left request 51 pending in the queue for C=US, S=CA, L=Pacifica, O=Expta, OU=IT, CN=Admin,
E=admin@companyabc.com.  Additional information: Taken Under Submission


All we need to do now is create an Event trigger on this event.  The easiest way to do that is to create a certificate request so we can attach a task to the event it logs.  Once you create the certificate request, find the event ID 54 in the Application event log on the CA.  Right-click the event and select Attach Task To This Event.



This will open the Create Basic Task Wizard which we will use to configure the email notification.  Give the task a name and description, as shown below, and click Next:



The specific event details are prepopulated from the event we selected.  Click Next:



Select Send an e-mail from the Actions list and click Next:



Complete the details for the email, as shown below.  Enter the valid SMTP address for the CA Managers group (created above) in the To: field.  I include the URL to the CA approval page in the message text for easy access by the CA Managers.  Ensure that your CA server is allowed to send SMTP email to the SMTP server you designate in the wizard.  I use Telnet to test that.



Review the summary.  Select the check box to Open the Properties dialog for this task when I click Finish and then click Finish.


By default this task will only run when the user who created it is logged on.  Change the task to run under the NT Authority\SYSTEM account by clicking the Change User or Group button and entering the local SYSTEM account.  This will also configure the task to run whether the user is logged on or not.  Now click OK to complete the task.


You can view, change or delete this task in the Event Viewer Tasks in the Task Scheduler Library.

Test the new configuration by generating another certificate request.  All members of the CA Managers group should receive an email indicating that a new certificate request is pending, along with a link to the CA's web approval page, as shown below:


 

2:45 PM