Using Event Handlers

Legacy event handlers allow you to run a PowerShell script, write to the Windows event log, automate renewal of expiring certificates, or run a custom handler during the course of delivering an alert. The legacy alerting system has largely been replaced by the newer workflowClosed A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. system. The workflow system offers more options for injecting actions in the process than the legacy alerting system, but the legacy alerting system and event handlers are retained for backwards compatibility.

A given expiration, pending, issued or denied alert can have only one event handler action associated with it. For example, an alert can run one PowerShell script but not also a second PowerShell script or also an event logging task. Alerts configured with a PowerShell or renewal event handler can also send out email messages. However, be aware that your PowerShell script will run once for every certificate and every email recipient, so if your alert has three email recipients, your script will run three times for each certificate. If this is not the desired behavior, you can set up separate alerts for email messages and your PowerShell script. Alerts configured with an event logger event handler will log events to the event log instead of sending email messages. If you want to both log to the event log and send email messages for a given alert configuration, you need to set up two separate alerts.

Important:  Event handlers are not supported for Keyfactor Command implementations in containers under Kubernetes. Use workflow instead.
Tip:  With workflows, the equivalent functionality to the handlers can be achieved using either Set Variable Data or Use Custom PowerShell steps. See the examples for Write to Windows Event Log with Expiration Workflow, Renewal and Email Notification on Approaching Certificate Expiration, and Update Additional Enrollment Field on Enrollment.
Tip:  PowerShell handlers run in different security contexts depending on how they are triggered. If they are triggered by the Management Portal/Keyfactor APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. (via an alert test, for example) they will run in the context of the Keyfactor API application pool account. If they are triggered by a scheduled task (an alert run automatically, for example), they will run in the context of the Keyfactor Command Service account. Keep this in mind if your configuration of the PowerShell script is going to use Windows Authentication to reach back into Keyfactor Command or perform another task requiring authentication.