Q: In addition to Certification Authority (CA)–level auditing settings, are there any other configuration settings that must be set to enable auditing of CA management actions?

A: If you've enabled all CA-level auditing settings on all CAs in your Windows public key infrastructure (PKI) hierarchy, which you would do through the Auditing tab of the CA properties, but still no CA-related events show up in your Windows security event logs, there's a fair chance you forgot to enable auditing for object access in the general audit settings on the level of your CA machines. First, you configure what exactly needs to be audited on the object-level (in this case, on the level of the CA object). Second, you must also configure the audit policy and enable success or failure auditing for a given set of audit policy categories or subcategories. For example, you could configure your machine's audit policy to include success auditing for account login events and failure auditing for privilege use events.

To enable auditing for object access on your CA machines, open the Microsoft Management Console (MMC) Group Policy Object Editor snap-in and load the Local Computer Policy. Expand the Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy container and enable success and failure auditing for the Audit object access audit policy category. If all your CA machines are part of the same Active Directory (AD) organizational unit (OU), you could do the same for all machines at once by editing a Group Policy Object (GPO) that's linked to that particular OU.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.