Auditing and Event Management
Applies To: Windows Server 2003 with SP1
Event IDs Used by Certificate Services
The following event IDs are currently used by Certificate Services:
772. The Certificate Manager denied a pending certificate request.
773. Certificate Services received a resubmitted certificate request.
774. Certificate Services revoked a certificate.
775. Certificate Services received a request to publish the certificate revocation list (CRL).
776. Certificate Services published the certificate revocation list (CRL).
777. A certificate request extension changed.
778. One or more certificate request attributes changed.
779. Certificate Services received a request to shut down.
780. Certificate Services backup started.
781. Certificate Services backup completed.
782. Certificate Services restore started.
783. Certificate Services restore completed.
784. Certificate Services started.
785. Certificate Services stopped.
786. The security permissions for Certificate Services changed.
787. Certificate Services retrieved an archived key.
788. Certificate Services imported a certificate into its database.
789. The audit filter for Certificate Services changed.
790. Certificate Services received a certificate request.
791. Certificate Services approved a certificate request and issued a certificate.
792. Certificate Services denied a certificate request.
793. Certificate Services set the status of a certificate request to pending.
794. The Certificate Manager settings for Certificate Services changed.
795. A configuration entry changed in Certificate Services.
796. A property of Certificate Services changed.
797. Certificate Services archived a key.
798. Certificate Services imported and archived a key.
799. Certificate Services published the CA certificate to Active Directory.
800. One or more rows has been deleted from the certificate database.
801. Role separation enabled.
Breakdown of Shared Event IDs
796:
Property: 29
Index: 0
Type: 4
Adding/removing template to/from CA. Value is list of resulting
templates by name and object identifier.
Property: 26
Index: <KRA cert index>
Type: 3
Adding KRA cert to CA. Value is Base64 representation of the
certificate.
Property: 25
Index: 0
Type: 1
Removing KRA certificate from CA. Value is the total KRA certificate count. For example, you can add 7 KRA cert to CA but configure it to use 3 only. In this case, the property 25 (CR_PROP_KRACERTCOUNT) will be 7 and the property 24 (CR_PROP_KRACERTUSEDCOUNT) will be 3.
Property: 24
Index: 0
Type: 1
Adding/removing number of KRA certificates to use for key archival. Value is resulting number of certificates to use. A value of 0 indicates that KAR is disabled. For example, you can add 7 KRA cert to CA but configure it to use 3 only. In this case, the property 25 (CR_PROP_KRACERTCOUNT) will be 7 and the property 24 (CR_PROP_KRACERTUSEDCOUNT) will be 3.
795:
Node:
Entry: CRLPeriod or CRLPeriodUnits or CRLDeltaPeriod or
CRLDeltaPeriodUnits
Describe change in CRL publication schedule. Value of 0 for
CRLDeltaPeriodUnits means Delta CRL publishing disabled.
Node: PolicyModules\CertificateAuthority_MicrosoftDefault.Policy
Entry: RequestDisposition
Value: 1
Set CA to issue incoming requests unless specified otherwise.
Node: PolicyModules\CertificateAuthority_MicrosoftDefault.Policy
Entry: RequestDisposition
Value: 257
Set CA to keep incoming requests pending.
Node: ExitModules\CertificateAuthority_MicrosoftDefault.Exit
Entry: PublishCertFlags
Value: 1
Allow certificates to be published to the file system.
Node: ExitModules\CertificateAuthority_MicrosoftDefault.Exit
Entry: PublishCertFlags
Value: 0
Disallow certificates to be published to the file system.
Node: ExitModules
Entry: Active
Change in active Exit module. Value specifies name of new module. Blank
means none.
Node: PolicyModules
Entry: Active
Change in active Policy module. Value specifies name of new module.
Node:
Entry: CRLPublicationURLs
Change in CDPs or AIAs. Value specifies resultant set of CDPs.
Node:
Entry: CACertPublicationURLs
Change in AIAs or CDPs. Value specifies resultant set of AIAs.
CA Audit Specification
The following tables provide more information about the data contained in the CA audit events.
Certificate Request Events
| Audit Event | Audit Data |
|---|---|
Certificate Request Submission |
Request ID UPN of Requestor |
Certificate Request Processing |
Request ID Distinguished Name of Subject Result of Processing (Issue, Pend, or Deny) |
Certificate Issuance |
Request ID Certificate Serial No Hash of Certificate Certificate Template and Version Sequence Number from CSP |
Certificate Publication |
Request ID Distinguished Name of Object Updated DC Name Certificate Serial No |
Certificate Revocation |
Certificate Serial No Time for Revocation Reason for Revocation |
Key Archived |
Request ID UPN of Requestor List of Hashes of Recovery Agents Certificate(s) |
Certificate Management Audit Events
| Audit Event | Audit Data |
|---|---|
Certificate Revocation Request |
Issuer Name and Serial No of Signing Certificate (if signed) Revocation Reason UPN of Certificate Manager |
Request Resubmission |
Request ID UPN of Certificate Manager |
Denied Request |
Request ID UPN of Certificate Manager |
Certificate Import |
Request ID UPN of Certificate Manager |
Archived Key Retrieval |
Request ID Certificate Serial Number Hash of Encrypted Blob UPN of Certificate Manager |
CA Administration Audit Events
| Audit Event | Audit Data |
|---|---|
Service Start or Stop |
Hash of the Certificate Services Database Directories Hash of the Database Log Directories List of All Hashes of the Certificate Services Certificates Sequence Number from CSP |
CA Certificate Renewal Request |
URN of Requestor SKI |
CA Certificate Installation |
UPN of Installer Hash of Certificate Issuer Name AKI SKI |
CRL Creation and Publication |
CRL Type AKI Hash of CRL Base and/or Delta CRL CRL This Update CRL Next update URL Used to Publish SKI (Identifier of CA) UPN of Service Manager |
Configure CRL Publication Policy |
List of All CRL Policies Entries UPN of Service Manager |
Selecting Policy Module |
Name of Active Policy Module (relative registry path) UPN of Service Manager |
Selecting Exit Module |
Name of Active Exit Module (relative registry path) UPN of Service Manager |
Configure Policy Module |
Name of Policy Module Configuration Entry Name New Configuration Entry Value UPN of Service Manager |
Configure Exit Module |
Name of Exit Module Configuration Entry Name New Configuration Entry Value UPN of Service Manager |
Certificate Template Update |
Template Name Template Major and Minor Version Nos List of Template Attributes UPN of Service Manager |
Key Archive Policy Change |
Subject Name of Key Recovery Agent Certificate Hash of Key Recovery Agent Certificate Number of Key Recovery Agent Certificates Used UPN of Service Manager |
Data Base Row Deletion |
Table Row UPN of Service Manager |
Configure Certificate Managers Restrictions |
Enable/Disable Restrictions UPN of Each Certificate Manager, List of Users to Manage, Type of ACE(Allow/Deny) UPN of Service Manager |
Configure CA Security |
UPN of Each User, Control Access Type, Type of ACE(Allow/Deny) UPN of Service Manager |
Configure CDP |
List of All CDPs UPN of Service Manager |
Configure AIA |
List of All AIAs UPN of Service Manager |
Backup/Restore Events
Start Service Backup |
UPN of Operator Backup Type Backup Set ID Data Integrity Check On\Off |
Finish Service Backup |
|
Cancel Service Backup |
|
Start Service Restore |
UPN of Operator Restore Type Backup Set ID Data Integrity Check On\Off |
Finish Service Restore |
Integrity Check OK (if integrity checking on) |
Cancel Service Restore |
UPN of Operator |
Audit Events
Audit Filter Change |
Value of New Audit Filter UPN of Auditor |