Operating the certification authority without an exit module

If a certification authority is installed, the "Windows Default" exit module is automatically activated. This enables e-mail messages to be sent when certain events occur at the certification authority. However, most companies do not use this feature at all.

But even if the exit module is not used at all, it causes sessions on the certification authority database (see Event no. 46). On Certification Authorities with high load this can be problematic.

If the functions it offers are not used at all (under Windows Server Core the "Windows Default" exit module basically does not work), it can also be disabled completely.

An example project for creating your own exit module can be found in the article "Create an exit module for the certification authority in C#". This provides the possibility to develop an exit module with a range of functions tailored to your own needs.

Procedure

Deactivate exit module

To disable the exit module, simply remove it from the certification authority configuration.

Afterwards, a restart of the certification authority service is required again to apply the changes.

In the registration of the certification authority the configuration of the active exit module is stored in the following path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{Common-name-of-the-certification-authority}\ExitModules

If no exit module is configured, the "Active" value is empty accordingly.

Re-enable exit module

In contrast to policy modules, it is also possible - if available - to activate several exit modules simultaneously.

Afterwards, a restart of the certification authority service is required again to apply the changes.

In the registry, the "Active" value is filled again accordingly.

Operating the Certification Authority without exit module

Procedure

Deactivate exit module

Re-enable exit module

Related links:

External sources

One thought on “Betreiben der Zertifizierungsstelle ohne Exit Modul”