You can configure a Windows Certification Authority certificate template to require CA certificate manager approval, as shown below.
With this configuration autoenrollment is disabled and the CA Manager must approve the certificate request before the certificate is issued.
Normally, CA managers need to check in periodically to see if there are any pending requests to approve or decline. This article discusses how to enable email notifications when a certificate request is generated that requires approval.
First, my best practice is to create a mail-enabled security group in Active Directory called CA Managers. Add the appropriate user objects to this group and assign that group Issue and Manage Certificates and Manage CA rights on the Certification Authority, as shown below:
Now we need to configure event logging for Certificate Services for verbose logging. Run the following command from a CMD prompt on the CA:
certutil -setreg ca\loglevel 4
You must restart the Active Directory Certificate Services service (CertSvc) to affect the logging level change. The CA will now log event ID 54 from source CertificationAuthority in the Application event log whenever a certificate request is generated. For example,
Log Name: Application
Date: 7/12/2012 8:16:29 AM
Event ID: 54
Task Category: None
Active Directory Certificate Services left request 51 pending in the queue for C=US, S=CA, L=Pacifica, O=Expta, OU=IT, CN=Admin, Eemail@example.com. Additional information: Taken Under Submission
All we need to do now is create an Event trigger on this event. The easiest way to do that is to create a certificate request so we can attach a task to the event it logs. Once you create the certificate request, find the event ID 54 in the Application event log on the CA. Right-click the event and select Attach Task To This Event.
Complete the details for the email, as shown below. Enter the valid SMTP address for the CA Managers group (created above) in the To: field. I include the URL to the CA approval page in the message text for easy access by the CA Managers. Ensure that your CA server is allowed to send SMTP email to the SMTP server you designate in the wizard. I use Telnet to test that.
Review the summary. Select the check box to Open the Properties dialog for this task when I click Finish and then click Finish.