If a certification authority is installed, the "Windows Default" exit module is automatically activated. This enables e-mail messages to be sent when certain events occur at the certification authority. However, most companies do not use this feature at all.
But even if the exit module is not used at all, it causes sessions on the certification authority database (see Event no. 46). On Certification Authorities with high load this can be problematic.
If the functions it offers are not used at all (under Windows Server Core the "Windows Default" exit module basically does not work), it can also be disabled completely.
An example project for creating your own exit module can be found in the article "Create an exit module for the certification authority in C#". This provides the possibility to develop an exit module with a range of functions tailored to your own needs.
Procedure
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Deactivate Exit Module (Certification Authority Management Console)
To disable the exit module, simply remove it from the certification authority configuration.
Afterwards, a restart of the certification authority service is required again to apply the changes.
In the registration of the certification authority the configuration of the active exit module is stored in the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{Common-name-of-the-certification-authority}\ExitModules
If no exit module is configured, the "Active" value is empty accordingly.
Deactivate Exit Module (PowerShell)
The goal can also be achieved very easily via PowerShell:
$Root = "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration"
$CaName = (Get-ItemProperty -Path $Root -Name Active).Active
Clear-ItemProperty -Path "$Root\$CaName\ExitModules" -Name Active
Re-enable exit module
In contrast to policy modules, it is also possible - if available - to activate several exit modules simultaneously.
Afterwards, a restart of the certification authority service is required again to apply the changes.
In the registry, the "Active" value is filled again accordingly.
Related links:
- The SMTP Exit module does not work on Windows Server Core
- Certificate or revocation list issuance fails with error code CERTSRV_E_NO_DB_SESSIONS
- Create an exit module for the certification authority in C#
External sources
- Exit Modules - Win32 apps (Microsoft)
- Writing Custom Exit Modules - Win32 apps (Microsoft)
- Managing Policy and Exit Modules (Microsoft)
- Select a Different Exit Module (Microsoft)
- Certificate Services Architecture (Microsoft)
English 
Deutsch
One thought on “Betreiben der Zertifizierungsstelle ohne Exit Modul”
Comments are closed.