...Because someone's gotta tell the story...


To return to the main Blog List, click Full Blog Listing.



Demystify PKI - Act II: Certificate Logging

Tuesday, February 13, 2018 in Technical Articles (Views: 1166)
This is a quick blog on how to enable certificate logging, as by default this is not enabled in Windows.

First, a common falacy is that all things are located in the System or Application logs. Whereas this seems true to a point, there are many other logs to look at in Windows. Of course, being this is PKI, some may say the Security log.

Actually, the answer is the CAPI log. To enable this log:
  • Open Event Viewer
  • Expand Applications and Services Logs
  • Expand Microsoft
  • Expand Windows
  • Expand CAPI2
  • Right click Operational
  • Click Enable Log
  • Reproduce your issue
  • Disable logging by following the above steps but Enable Log will turn into Disable Log
  • Save the log, if desired, for analysis on another system.

If you want to enable verbose mode, there are 2 registry keys to set at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32:
  • 64-bit QWORD DiagLevel to (hex) 5
  • 32-bit DWORD DiagMatchAnyMask to (hex) 0x00ffffff

Hope this helps your troubleshooting of PKI.


Related Blogs You May Be Interested In:

To leave a comment, please log in and/or register.