Denied Certificate Request Alert Operations

A denied certificate request alert is designed to send an email notification to a certificate requester when a certificate request he or she made using a certificate templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. that required manager approval is denied. It can include a comment from the administrator who denied the request indicating why the request was denied. From the Denied Certificate Request Alert page you can add a new alert, edit an existing one, delete an alert and copy an existing alert to form a template for a new alert.

Important:  These alerts are not used to provide email alerts or run event handlers for certificate requests that require approval based on policies configured in Keyfactor Command workflows. Denial notification for requests handled by Keyfactor Command workflowClosed A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. are configured within the workflow (see Adding, Copying or Modifying a Workflow Definition).
  1. In the Management Portal, browse to Alerts > Denied Request.
  2. On the Denied Certificate Requests Alerts page, click Add at the top of the grid to create a new alert, or click Edit to modify an existing one (Edit is also available from the right click menu).

  3. In the Denied Certificate Request Alert Settings dialog, select your Certificate Template (or select All Templates) in the first dropdown.

    Figure 155: Create a New Denied Certificate Request Alert

  4. In the Display Name field, enter a name for the alert. This name appears in the list of denied certificate request alerts in the Management Portal.

  5. In the Subject field, enter a subject line for the email message that will be delivered when the alert is triggered. You can use substitutable special text in the subject line. Substitutable special text uses a variable in the alert definition that is replaced by data from the certificate or certificate metadataClosed Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. at processing time. For example, you can enter {rcn} in the alert definition and each alert generated will contain the specific requested common nameClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). of the given request instead of the variable {rcn}.

    To add substitutable special text to the subject line; place your cursor where you would like the text to appear on the subject line, select the appropriate variable from the Insert special text dropdown, and click Insert. Alternately, type the special text variable enclosed in curly braces (e.g. {cnClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).}).

  6. In the Message box, enter the body of the email message that will be delivered when the alert is triggered. You can use the Insert special text dropdown below the message window to add substitutable special text to the message. The metadata that appears in the dropdown will depend upon the custom metadata you have defined (see Certificate Metadata). Place your cursor where you would like the text to appear, select the appropriate variable from the dropdown, and click Insert. Alternately, you can type the special text variable enclosed in curly braces directly. In addition to the substitutable special text fields available in the dropdown, you can also build your own substitutable fields for the requester based on string values from the user or computer Active Directory record. See Table 9: Substitutable Special Text for Denied Certificate Request Alerts. If desired, you can format the message body using HTML.
  7. The Denial Comments substitutable special text field is an important one to include in your alert intended for the requester of the certificate. This provides the comment the administrator made at the time he or she denied the certificate request (see Certificate Requests).

  8. Check the Use handler box if you would like the alert to trigger an event handler at processing time, select the appropriate handler in the dropdown, and click the Configure button to configure the event handler. See Adding Logging Handlers to Alerts for information on using event logging handlers and Adding PowerShell Handlers to Alerts for information about using PowerShell handlers.

    Tip:  With workflows, the equivalent functionality to the handlers can be achieved using either Set Variable Data or Use Custom PowerShell steps. See the examples for Write to Windows Event Log with Expiration Workflow and Update Additional Enrollment Field on Enrollment.

  9. In the Recipients section of the page, click Add to add a recipient to the alert. Each alert can have multiple recipients. Recipients should be added one at a time. You can enter specific email addresses and/or use substitutable special text to replace an email address variable with actual email addresses at processing time. There are three built-in variables that can be selected in the Recipient dialog Use a variable from the certificate request dropdown. In addition, you can type a special text variable enclosed in curly braces in the Email field if you have, for example, a metadata field that contains an email address.

    Keyfactor Command sends SMS (text) messages by leveraging the email to text gateways that many major mobile carriers provide. Check with your carrier for specific instructions. Keyfactor has tested that AT&T can be addressed using 10-digit-number@txt.att.net (e.g. 4155551212@txt.att.net) and Verizon can be addressed using 10-digit-number@vtext.com (e.g. 2125551212@vtext.com). T-Mobile can be addressed using 10-digit-number@tmomail.net (e.g. 2065551212@tmomail.net), but functionality can be spotty. Reliability of alerting via this method depends on the reliability of the carrier’s gateways.

    Figure 156: Denied Certificate Request Alerts Recipients

  10. Click Save to save your denied certificate request alert.

You may use the copy operation to create multiple similar alerts—for example, one to the requester of the certificate and another with a different message to the application owner for whom it was intended.

  1. In the Management Portal, browse to Alerts > Denied Request.
  2. On the Denied Certificate Requests Alerts page, highlight the row in the denied certificate request alerts grid and click Copy at the top of the grid, or from the right click menu.
  3. The Denied Certificate Request Alert Settings dialog will pop-up with the details from the selected alert. The display name field will have - Copy tagged to the end of it to indicate it is a new alert. You may modify the alert as needed and click Save to add the new alert, or Cancel to cancel the operation.
  1. In the Management Portal, browse to Alerts > Denied Request.
  2. On the Denied Certificate Requests Alerts page, highlight the row in the denied certificate request alerts grid and click Delete at the top of the grid, or from the right click menu.
  3. On the Confirm Operation alert, click OK to confirm or Cancel to cancel the operation.

Refer to the following table for a complete list of the substitutable special text that can be used to customize alert messages.

Table 9: Substitutable Special Text for Denied Certificate Request Alerts

Variable

 Name

Description

{cmnt}

Denial Comments

Comments provided by the administrator responsible for approving or denying the certificate request at the time the request was denied

{rcn}

Requested Common Name

Common name contained in the certificate request

{rdn}

Requested Distinguished Name

Distinguished name contained in the certificate request

{requester:mail}

Requester’s Email

Email address retrieved from Active Directory of the user account that requested the certificate from the CA, if present

Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{requester:givenname}

Requester’s First Name

First name retrieved from Active Directory of the user account that requested the certificate from the CA, if present

Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{requester:sn}

Requester’s Last Name

Last name retrieved from Active Directory of the user account that requested the certificate from the CA, if present

Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{requester:displayname}

Requester's Display Name

Display name retrieved from Active Directory of the user account that requested the certificate from the CA, if present

Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{careqid}

Issuing CA / Request ID

A string containing the Issuing CA name and the certificate’s Request ID from the CA

{san}

Subject Alternative Name

Subject alternative name(s) contained in the certificate request

{subdate}

Submission Date

Date the certificate request was submitted

{template}

Template Name

Name of the certificate template used to create the certificate request

{templateshortname}

Template Short Name

Short name (often the name with no spaces) of the certificate template used to create the certificate request

{metadata:Email-Contact}

Email-Contact

Example of a custom metadata field

{requester:field}

String Value from AD

Locates the object in Active Directory identified by the user or computer account that requested the certificate from the CA, and substitutes the contents of the attribute named by field. For example, for users:

  • {requester:department}
  • {requester:sAMAccountName}

For computers:

  • {requester:operatingSystem}
  • {requester:location}
This substitutable special text field is partially user defined—you pick the field out of AD to include—and is therefore not available in the Insert special text dropdown; it needs to be typed manually.
Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.