Capture All Certification Authority Configuration Changes in Windows Event Logs

Different tools can be used to change the Certification Authority configuration. Here's how to make sure the changes are logged, no matter which tool is being used.

Jan De Clercq

October 29, 2014

2 Min Read


Q: How can I make sure that all Certification Authority (CA) configuration changes are logged in the Windows event logs, no matter what tool the CA administrator uses to make those changes?

A: Windows CA administrators can use different tools to make CA configuration changes. For example, they might use the Microsoft Management Console (MMC) Certification Authority snap-in (certsrv.msc), use the certutil.exe command-line tool, or edit a CA configuration entry directly in the Windows registry editor (regedit.exe). When you configure auditing for a CA using a Windows auditing policy (by enabling auditing for the Certification Services auditing subcategory) or using the auditing settings that are available from the Certification Authority snap-in (in the CA object properties on the Auditing tab), the only configuration tool that will trigger the creation of an audit event is when the CA administrator makes the change through the Certification Authority snap-in interface. To capture CA configuration changes stored locally on a CA machine, no matter what configuration tool is used, you must configure registry auditing specifically for the Active Directory Certificate Services (AD CS) registry keys.

To enable registry auditing, you must first configure the Windows auditing policy. You can do so by using auditpol.exe from the command line or using Group Policy Object (GPO) settings. To enable registry auditing with auditpol.exe, run the command:

auditpol /set /subcategory:”registry” /success:enable /failure:enable

To set the audit policy using GPO settings, configure the Audit Registry subcategory in the Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy GPO container and set the subcategory to be enabled for both success and failure events.

After enabling registry auditing, you must configure auditing for the specific AD CS registry keys. To do this, follow these steps:

  1. Open regedit.exe and navigate to the HKEY_LOCAL_MACHINESystemServicesCertSvcConfiguration container.

  2. Right-click the Configuration registry key and select Permissions. Click Advanced, then click Auditing.

  3. Click Select a principal, and select Authenticated Users. From the Type drop-down menu, select All. From the Applies To drop-down menu, select This key and subkeys.

  4. Click Show advanced permissions and select the following advanced permissions: Set Value, Create Subkey, Delete, Write DAC, and Write Owner.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like