11.2. Setting up Automated Notifications for the CA

11.2.1. Setting up Automated Notifications in the Console

  1. Open the Certificate Manager Console.
    pkiconsole https://server.example.com:8443/ca
  2. Open the Configuration tab.
  3. Open the Certificate Manager heading in the navigation tree on the left. Then select Notification.
    The Notification tabs appear in the right side of the window.
  4. Notifications can be sent for three kinds of events: newly-issued certificates, revoked certificates, and new certificate requests. To send a notification for any event, select the tab, check the Enable checkbox, and specify information in the following fields:
    • Sender's E-mail Address. Type the sender's full email address of the user who is notified of any delivery problems.
    • Recipient's E-mail Address. These are the email addresses of the agents who will check the queue. To list more than one recipient, separate the email addresses with commas. For new requests in queue only.
    • Subject. Type the subject title for the notification.
    • Content template path. Type the path, including the filename, to the directory that contains the template to use to construct the message content.
  5. Click Save.

    Note

  6. Customize the notification message templates. See Section 11.3, “Customizing Notification Messages” for more information.
  7. Test the configuration. See Section 11.2.3, “Testing Configuration”.

11.2.2. Configuring Specific Notifications by Editing the CS.cfg File

  1. Stop the CA subsystem.
    systemctl stop pki-tomcatd@instance_name.service
  2. Open the CS.cfg file for that instance. This file is in the instance's conf/ directory.
  3. Edit all of the configuration parameters for the notification type being enabled.
    For certificate issuing notifications, there are four parameters:
    ca.notification.certIssued.emailSubject
    ca.notification.certIssued.emailTemplate
    ca.notification.certIssued.enabled
    ca.notification.certIssued.senderEmail
    
    For certificate revocation notifications, there are four parameters:
    ca.notification.certRevoked.emailSubject
    ca.notification.certRevoked.emailTemplate
    ca.notification.certRevoked.enabled
    ca.notification.certRevoked.senderEmail
    
    For certificate request notifications, there are five parameters:
    ca.notification.requestInQ.emailSubject
    ca.notification.requestInQ.emailTemplate
    ca.notification.requestInQ.enabled
    ca.notification.requestInQ.recipientEmail
    ca.notification.requestInQ.senderEmail
    
    The parameters for the notification messages are explained in Section 11.2, “Setting up Automated Notifications for the CA”.
  4. Save the file.
  5. Restart the CA instance.
    systemctl start pki-tomcatd@instance_name.service
  6. If a job has been created to send automated messages, check that the mail server is correctly configured. See Section 11.4, “Configuring a Mail Server for Certificate System Notifications”.
  7. The messages that are sent automatically can be customized; see Section 11.3, “Customizing Notification Messages” for more information.

11.2.3. Testing Configuration

To test whether the subsystem sends email notifications as configured, do the following:
  1. Change the email address in the notification configuration for the request in queue notification to an accessible agent or administrator email address.
  2. Open the end-entities page, and request a certificate using the agent-approved enrollment form.
    When the request gets queued for agent approval, a request-in-queue email notification should be sent. Check the message to see if it contains the configured information.
  3. Log into the agent interface, and approve the request.
    When the server issues a certificate, the user receive a certificate-issued email notification to the address listed in the request. Check the message to see if it has the correct information.
  4. Log into the agent interface, and revoke the certificate.
    The user email account should contain an email message reading that the certificate has been revoked. Check the message to see if it has the correct information.