Windows - Logging changes to Certificate Store
I have confirmed Windows Server 2012 R2 and 2016 provide event data for:
1001 Certificate Replaced
1002 Certificate Expired
1003 Certificate Expiration Approaching
1004 Certificate Deleted
1005 Certificate Archived
1006 Certificate Installed
With the same level of details (Subject, Thumbprint, EKU, Expiration, subject account).
You probably need to provide more details about your platform and environment.
Related videos on Youtube
Mikhail
Updated on September 18, 2022Comments
-
Mikhail almost 2 years
In Windows there is a Certificate Store, where users and admins (depending on the setup) can make their changes: add root CA, modify CRL, etc. It seems to be quite a critical place in system security. So I come to the question:
Can Windows be set up to log changes to Certificate Store to its standard log fcility, EventLog?
Till now I only managed to get a certificate removed event (ID 1004) from
CertificateServicesClient-Lifecycle
log, but nothing about certificate added or anything else.Upd.: I tried both Windows Server 2012 R2 and Windows 10 and got same results.
Upd.2: Just tried also on a fresh Windows 8 installation: got same results. What should be configured to enable these logs?
-
Mikhail almost 7 yearsThank you, Greg. I tried Windows 2012R2 and Windows 10. Can you share the configuration you made that enabled these events logging please?
-
Greg Askew almost 7 yearsI'm not aware of any configuration required to enable these events. You could try increasing the log size (default size is 1 MByte). Also confirm you are checking the appropriate log (System or User).
-
Mikhail almost 7 yearsThese logs contain only a few certificate deletion entries and nothing more on my test systems, so they defenitely fit the log file size. I checked all
CertificateServicesClient-Lifecycle
logs - still cannot find the other events. -
jojojoj almost 7 yearsIn the wiki link, notice what is stated beneath the events list table: (1) Except for expiration and close to expiration notifications, only certificates in MY store are covered. (2) Only certificates exported with private keys generate the exported event.