Configuring CA Monitor

Overview

The CA Monitor feature in CertMS allows you to track certificate activity directly from your Certificate Authority (CA) servers. This includes monitoring pending, issued, and revoked certificates with automated email alerts. Each CA Monitor tracks a specific certificate template on your CA infrastructure.

Prerequisites

Before configuring CA Monitor, ensure you have:

• Administrative access to your Certificate Authority server
• PowerShell execution permissions on the CA server
• Network connectivity between the CA server and your CertMS instance
• Email addresses for alert notifications

Step-by-Step Configuration

Step 1: Access CA Monitor Management

1. In the left-hand navigation menu, click on CA Monitors
2. This page displays all currently configured CA Monitors in your environment

Step 2: Create New CA Monitor

1. Click the Create New CA Monitor button in the top-right corner
2. Complete the required configuration fields:

Required Information

Field	Description
Name	Descriptive name for this CA Monitor (e.g., “Web Server Certificates”)
CA Server FQDN	Fully Qualified Domain Name of your Certificate Authority server
Certificate Template	Specific certificate template to monitor (one monitor per template)
Enable Monitor	✅ Checkbox (checked by default) – enables/disables monitoring

Alert Configuration

Configure email notifications for certificate events:

• Pending Certificate Alert: Email address(es) for pending certificate notifications
• Issued Certificate Alert: Email address(es) for newly issued certificate notifications
• Revoked Certificate Alert: Email address(es) for certificate revocation notifications

Note: You can enter multiple email addresses separated by commas for each alert type.

3. Click Save or Create to create the CA Monitor

Step 3: Retrieve Monitor Information

After creating the CA Monitor:

1. Navigate to the newly created CA Monitor
2. Locate the Monitor Information section
3. Copy and save the CA Monitor ID – you’ll need this for the agent installation

Step 4: Download CA Agent Script

1. On the CA Monitors page, locate the Download CA Agent button (to the left of “Create New CA Monitor”)
2. Click Download CA Agent to download the PowerShell script
3. Save the ca_monitor_agent.ps1 file for installation on your CA server

Step 5: Create API Key

The CA Agent requires an API key to communicate with CertMS.

Navigate to API Key Management

1. In the left-hand navigation, click on Settings dropdown
2. Select API Keys
3. Review existing API keys (you may see “System APIs” created automatically)

Create New API Key

1. Click Create New API Key
2. Complete the API key configuration:

Field	Configuration
Name	Descriptive name (e.g., “CA Monitor API Key”)
Description	Optional description of the key’s purpose
Roles	Select required permissions:
	• ✅ CA Monitor Admin (minimum required)
	• ✅ Certificate Admin (minimum required)
Expiration Date	Set expiration date (recommend setting far in the future)
Active	✅ Checkbox (checked by default)

3. Click Create API Key in the lower-right corner

Save Your API Key

• A popup window will display your API key
• ⚠️ IMPORTANT: This is the only time you can view the complete API key
• Copy and save the API key in a secure location immediately

Best Practice: You can create one API key for all CA Scanners, or create individual keys for each monitor depending on your security requirements.

Step 6: Install CA Agent on Certificate Authority

Prerequisites for Installation

• Administrative access to the CA server
• PowerShell execution permissions
• The downloaded ca_monitor_agent.ps1 script
• Your API key and CA Monitor ID

Installation Steps

1. Copy the script to your Certificate Authority server
2. Open an elevated PowerShell prompt on the CA server
3. Navigate to the directory containing the script
4. Run the installation command:

.\ca_monitor_agent.ps1 -ApiBaseUrl "<api_base_url>" -ApiKey "<api_key>" -CaMonitorId "<ca_monitor_id>" -Install

Parameter Details

Parameter	Description	Example
ApiBaseUrl	Your CertMS instance API URL	https://acmecorp.certms.com/certms
ApiKey	The API key created in Step 5	your-generated-api-key-here
CaMonitorId	Monitor ID from Step 3	12345
Install	Installation flag	(no value needed)

Example Installation Command

.\ca_monitor_agent.ps1 -ApiBaseUrl "https://acmecorp.certms.com/certms" -ApiKey "abcd1234-5678-90ef-ghij-klmnopqrstuv" -CaMonitorId "12345" -Install

Step 7: Verify Installation

After running the installation command:

1. Check for success messages in the PowerShell output
2. Verify in CertMS that the CA Monitor shows as “Connected” or “Active”
3. Monitor the dashboard for incoming certificate data
4. Test email alerts by performing a certificate operation on the CA

Managing Multiple Certificate Templates

To monitor multiple certificate templates:

1. Create separate CA Monitors for each template
2. Use the same API key for all monitors (recommended)
3. Install the agent multiple times with different CaMonitorId values
4. Configure different alert recipients based on certificate type

Troubleshooting

Common Installation Issues

Issue	Solution
PowerShell execution policy error	Run Set-ExecutionPolicy RemoteSigned as administrator
Network connectivity issues	Verify firewall rules allow HTTPS traffic to CertMS
API authentication failed	Verify API key is correct and has proper roles assigned
CA Monitor ID not found	Double-check the Monitor ID from the Monitor Information section

Verification Steps

• Check Windows Event Logs on the CA server for agent-related entries
• Verify network connectivity: Test-NetConnection <certms-instance> -Port 443
• Confirm API key permissions in CertMS Settings > API Keys

Security Considerations

• Store API keys securely – treat them like passwords
• Set appropriate expiration dates for API keys
• Use least-privilege principle when assigning API key roles
• Monitor API key usage regularly
• Rotate API keys according to your security policy

---

Need Help? Contact our support team at support@certms.com for assistance with CA Monitor configuration or agent installation issues.