Skip to main content
Skip table of contents

Lab 6: Collections and Alerts

Collections and Alerts Lab Activity

Collections play a significant role in how users find and interact with certificates.  They can also be part of our automation strategy. Additionally, we will dive into alerts.  The alerting capabilities in Keyfactor interact with our certificate approval workflow and allow for automation through the use of event handlers.  Our focus is to get the alerts up and running and we'll add automation later in this course.

In this lab, we are going to review the use and configuration of collections and alerts within Keyfactor and prepare our system with collections for user access and automation. 

Certificate Collections

Collections are pre-defined queries that can help you monitor your Certificates, for example, by certificate usage, environment, or source of a certificate. You can convert a Certificate Search to a Certificate Collection for ease of access, as the saved Collections display on the Collections tab as a saved query. Permissions can be assigned at the collection level if you want to restrict roles from having global access to all certificates.  Let's create a few collections!

  1. In the Keyfactor Portal, hover over the Certificates tab and choose Certificate Search from the dropdown.

  2. Enter the search criteria below to find all certificates for contoso.com:

Field

Comparison

Value

CN

Contains

kftrain.lab

  1. Click the Advanced button, which shows how the query is being used behind the scenes.

  2. Search.

From here we have a dynamic list of certificates that contain kftrain.lab in the common name attribute. Once our search criteria is to our liking, we can save it as a collection.

  1. Click Save.

  2. On the Save Collection dialog, name the collection and include a description of your choice. 

  3. In the Ignore renewed cert results by dropdown Distinguished Name.
    Reminder: This setting determines if Keyfactor should show duplicate (renewed) certificates.  With this setting as configured, Keyfactor will ignore certificates with duplicate DN attributes

  4.  Select the Show on Dashboard checkbox for your reporting. 

  5.  Select the Show on Navigator checkbox, which displays the saved collection on the Collections tab drop-down.

Permissions

Once saved, the collection just created will be displayed.  From this screen, we can view the permissions of this collection by clicking the Permissions button.  Let's take a minute to give our "Enroll only" role access to this newly created collection.

  1. Navigate to Gear Icon > Security Roles & Identities.

  2. Double-click the Enroll-only role we created in Lab 5.

  3. Click the Collection Permissions tab.

  4. Add the following permissions:

Collection

Permissions

My Certificates

Read, Download with Private Key

<<Your Created Collection>>

Read

  1. Click Save.

With these configuration settings, the "Enroll only" user can now see any certificates they have requested using the My Certificates collection.  Additionally, they can see all certificates in our created collection without providing access to the global certificate repository.

Bonus Lab: Now that we've created a collection, can you create a collection for all certificates that use one of the Web Server templates? 

Alerts

Alerts in Keyfactor are email notifications that can be dispatched at specified events within the certificate lifecycle. 

Alerts can be configured for the following:

  • Certificate Expiration

  • Pending Issuance

  • Request Approval

  • Request Denial

  • CRL/OSCP Monitoring

In addition, these same events can be extended using our Event Handlers.  We'll add some event handlers later in this course, for now, let's enable Pending Requests for our Web Server Approval template. 

  1. In the Keyfactor Portal, Navigate to Alerts > Pending Request.

  2. Click Add.

  3. Configure the Pending Request Alert Settings window with the following configuration:

Configuration

Value

Certificate Template

<<Your web server template that requires approval from Lab 5>>

Display Name

Lab 6: Approval Notification

Subject

Request for Web Server Certificate

Message

The following certificate {rcn} is awaiting approval. Please use the link below to approve this request:
{apprlink}

Recipients

approver@kftrain.lab

  1. Click Save.

  2. Click Configure in the Monitor Execution Schedule header.

  3. Choose an Execution Schedule to determine how often to send pending alerts.

Once you've configured your alert, go ahead and log in as the "Enroll only" user and request a certificate requiring approval.  You should see an email notification when you log into the email client located at http://mail.kftrain.lab:5000/

Bonus Lab: Now that we've created an alert, can you create an expiration alert using your Web Server template collection from above?

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close