Windows - Logging changes to Certificate Store

windows windows-event-log pki
8,942

I have confirmed Windows Server 2012 R2 and 2016 provide event data for: 

1001 Certificate Replaced  
1002 Certificate Expired  
1003 Certificate Expiration Approaching  
1004 Certificate Deleted  
1005 Certificate Archived  
1006 Certificate Installed

With the same level of details (Subject, Thumbprint, EKU, Expiration, subject account).

You probably need to provide more details about your platform and environment.

https://social.technet.microsoft.com/wiki/contents/articles/14250.certificate-services-lifecycle-notifications.aspx

Share:
8,942

Related videos on Youtube

Mikhail
Author by

Mikhail

Updated on September 18, 2022

Comments

  • Mikhail
    Mikhail almost 2 years

    In Windows there is a Certificate Store, where users and admins (depending on the setup) can make their changes: add root CA, modify CRL, etc. It seems to be quite a critical place in system security. So I come to the question:

    Can Windows be set up to log changes to Certificate Store to its standard log fcility, EventLog?

    Till now I only managed to get a certificate removed event (ID 1004) from CertificateServicesClient-Lifecycle log, but nothing about certificate added or anything else.

    Upd.: I tried both Windows Server 2012 R2 and Windows 10 and got same results.

    Upd.2: Just tried also on a fresh Windows 8 installation: got same results. What should be configured to enable these logs?

  • Mikhail
    Mikhail almost 7 years
    Thank you, Greg. I tried Windows 2012R2 and Windows 10. Can you share the configuration you made that enabled these events logging please?
  • Greg Askew
    Greg Askew almost 7 years
    I'm not aware of any configuration required to enable these events. You could try increasing the log size (default size is 1 MByte). Also confirm you are checking the appropriate log (System or User).
  • Mikhail
    Mikhail almost 7 years
    These logs contain only a few certificate deletion entries and nothing more on my test systems, so they defenitely fit the log file size. I checked all CertificateServicesClient-Lifecycle logs - still cannot find the other events.
  • jojojoj
    jojojoj almost 7 years
    In the wiki link, notice what is stated beneath the events list table: (1) Except for expiration and close to expiration notifications, only certificates in MY store are covered. (2) Only certificates exported with private keys generate the exported event.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

windows event log forwarding permission
Using the CheckEventLog module of NSClient++, how do I properly filter in two different eventTypes?
How to debug missing enterprise root ca certificate?
How to automatically backup Windows event logs?
What would cause so many EventID 4656 PlugPlayManager Security Audit Failures at one time?
Access Denied WinRM Error Code 5
Why is the user name "N/A" for most of the event log entries? How to get it filled in?
Turn Windows Event Logs EVT files into Syslog to send to LogLogic
What's the difference between managing certificates for a user account and for a computer account?
Forward Windows Events Logs to Rsyslog