Learn how to configure auditing logs in Active Directory Certificate Services (AD CS) to monitor all key actions in your Certificate Authority. A complete setup guide.
Server Manager > Tools > Certification Authority > domainname-DC-CA right click > Properties > Auditing
You can activate the audit logs according to your needs from the section below, I recommend all of them to be activated.
After opening it, I check it and there does not seem to be anything missing, I preferred to open it all.
After activating the audit logs, it is useful to stop and restart the service. You can do it with the following commands or manually.
net stop certsvc
net start certsvc
What the logs here mean and what they do is detailed below.
Back up and restore the CA database – Controls logging of events triggered when the CA database is issued backup or restore commands
Change CA configuration – Controls logging of events related to the changing of properties and configuration of the CA through the CA snap-in. Example events logged are changing CRL validity periods, changing policy or exit module configuration, or updating configured CDP/AIA extensions.
Change CA security settings – Controls logging of events triggered by modification of the CA security settings done through the CA snap-in. Example events include enabling/disabling role separation, changing the audit filter, or changing the access control list for the CA.
Issue and manage certificate requests – Controls logging of events related to the issuance of certificates. This includes logging when a request is received, or set to pending, denied, and issued. In high volume issuance environments this can generate a large number of alerts, but it is a recommendation to enable it where possible because it provides a strong audit trail of all issuance events.
Revoke certificates and publish CRLs – Controls auditing of events related to revocation and publishing of CRLs.
Store and retrieve archived keys – Controls auditing of events related to the CA archiving keys or recovering previously archived keys. This includes when a key is imported into the CA database and archived.
Start and stop Active Directory Certificate Services – Controls creation of audit events whenever AD CS is started and stopped. A similar event is also logged to the application log, although enabling of this event writes an event to the security log. If enabled, a cryptographic hash of the CA database is taken on startup and shutdown of the CA service. When the database becomes large, this may begin to impact service availability, as the RPC interface for the CA is not available while the hash is being computed. The start and stop times of the service may be very long depending on the size of the database.
We confirm that the audit trails we have set up are being processed properly and there does not appear to be any problem.
References
