This is a post about the implementation of security event audit logging for Public Key Infrastructure (PKI) Certificate Authority (CA) systems within Microsoft Active Directory Certificate Services (ADCS) environments. The configuration methodology requires dual-layer audit trail activation spanning both the CA service layer and the underlying Windows operating system audit subsystem.
Architecture Overview
Security event audit logging in ADCS operates through a bifurcated logging architecture that necessitates concurrent configuration at two distinct system layers:
- Application Layer: ADCS service-level audit configuration determines which security event categories are captured by the certificate authority daemon
- System Layer: Operating system audit policy configuration governs the transmission of CA-generated events to the Windows Security Event Log
Failure to configure both layers results in audit trail gaps, as each layer serves as a prerequisite for the other's functionality.
CA Service Layer Audit Configuration
Audit State Verification
The current audit configuration state can be interrogated through multiple administrative interfaces:
GUI Method:
Access via Microsoft Management Console (MMC) certificate authority snap-in (certsrv.msc) through the Properties dialog's Auditing tab.
Command-Line Interface:
Execute registry query operation to retrieve current audit filter configuration:
certutil -getreg CA\Auditfilter
Configuration Modification:
Apply new audit filter settings using registry modification:
certutil -setreg CA\Auditfilter <bitmask_value>
Audit Bitmask Interpretation
The audit configuration is stored as a registry DWORD value implementing a bitmask pattern. Each bit position corresponds to specific audit event categories:
| Bitmask Value | Event Category | Description |
|---|---|---|
| 0x00 | Audit Disabled | No security events logged |
| 0x01 | Service Lifecycle | CA service start/stop operations |
| 0x02 | Certificate Backup/Restore | Database backup and restoration events |
| 0x04 | Certificate Issuance | Certificate generation and enrollment |
| 0x08 | Certificate Revocation | Certificate revocation list operations |
| 0x10 | CA Configuration Changes | Administrative configuration modifications |
| 0x20 | CA Security Events | Security-related administrative actions |
Performance Considerations
Activation of service lifecycle auditing (bitmask 0x01) triggers cryptographic hash verification of the CA database during service transitions, potentially causing performance degradation in high-throughput environments with large certificate repositories.
Certificate Template Audit Enhancement
Extended audit functionality for certificate template processing requires activation of the EDITF_AUDITCERTTEMPLATELOAD policy flag:
certutil -setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD
This configuration enables generation of Event IDs 4898, 4899, and 4900, providing granular visibility into template validation and processing operations. A CA service restart is mandatory following this configuration change.
Then to restart the service from Powershell use this command:
Restart-Service CertSvcOperating System Audit Policy Configuration
Audit Policy State Assessment
Current OS-level audit configuration can be enumerated using the audit policy utility:
auditpol.exe /get /category:*
The relevant subcategory is "Certification Services" under the "Object Access" audit category.
Command-Line Configuration Method
Direct audit policy modification via command-line interface:
auditpol /set /subcategory:"{0CCE9221-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
Note: Command-line audit policy modifications are ephemeral and may be superseded by Group Policy Object (GPO) configurations during policy refresh cycles.
Group Policy-Based Configuration (Recommended)
For domain-integrated environments, centralized audit policy deployment through GPO provides persistent configuration management:
GPO Path:
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Object Access → Audit Certification Services
Configuration Parameters:
- Success Events: Enabled
- Failure Events: Enabled
Validation and Verification
Audit Trail Verification
Following configuration implementation, validate audit functionality by:
- Event Log Inspection: Monitor Windows Security Event Log for CA-specific event generation
- Functional Testing: Execute certificate operations and verify corresponding audit events
- Policy Compliance: Confirm audit settings persistence across system reboots and policy refreshes
This event is a workflow event as you can see below:
Certificate Services approved a certificate request and issued a certificate.
Request ID: 2630099
Requester: BEAR\manager-pc
Attributes:
ccm:manager-pc.bear.local
Disposition: 3
SKI: 60 6a 04 51 3a 93 ae 7a bc 6c e2 ca aa db 7b 54 1b 0d 41 29
Subject: OU=manager.user, OU=Users, DC=bear, DC=local
Subject Alternative Name:
Other Name:
Principal Name=Manager.User@bear.local
Certificate Template: WebServer-ECC512
Serial Number: 21002821d358ed5b3560b363f90000002821d3
Authentication Service: Kerberos
Authentication Level: Privacy
DCOMorRPC: DCOM Common Event IDs
Post-implementation, expect generation of the following security event identifiers:
Core CA Security Events (4868-4897):
- 4868: Certificate request denial by certificate manager
- 4869: Certificate request resubmission
- 4870: Certificate revocation operations
- 4871-4872: Certificate Revocation List (CRL) publication lifecycle
- 4873-4874: Certificate request extension and attribute modifications
- 4875: CA service shutdown requests
- 4876-4879: Database backup and restore operations
- 4880-4881: CA service lifecycle with cryptographic hash verification
- 4882: Security permission modifications
- 4883: Archived key retrieval operations
- 4884: Certificate database import operations
- 4885: Audit filter configuration changes
- 4886-4889: Certificate request processing workflow (received, approved, denied, pending)
- 4890-4892: CA manager settings and configuration modifications
- 4893-4894: Key archival operations
- 4895: CA certificate publication to Active Directory
- 4896: Certificate database record deletion
- 4897: Role separation configuration
Extended Template Events (4898-4900) (requires EDITF_AUDITCERTTEMPLATELOAD):
- 4898: Certificate template loading operations
- 4899: Certificate template content updates
- 4900: Certificate template security descriptor modifications
Cryptographic Provider Events (5058-5059) (software-based keys only):
- 5058: Key file operations and access
- 5059: Key migration operations
Conclusion
Effective PKI security event auditing requires systematic configuration across multiple system layers. The dual-configuration requirement ensures comprehensive audit trail capture while maintaining separation of concerns between application and system-level logging mechanisms. Proper implementation provides essential visibility for security monitoring, compliance reporting, and forensic analysis capabilities.