Demystify PKI - Act II: Certificate Logging

This is a quick blog on how to enable certificate logging, as by default this is not enabled in Windows.

For reference, this is a multi-part blog on PKI, here are the other entries:
Demystify PKI (aka AD Certificate Services) - Act I: Cryptography

First, a common falacy is that all things are located in the System or Application logs. Whereas this seems true to a point, there are many other logs to look at in Windows. Of course, being this is PKI, some may say the Security log.

Actually, the answer is the CAPI log. To enable this log:

  • Open Event Viewer
  • Expand Applications and Services Logs
  • Expand Microsoft
  • Expand Windows
  • Expand CAPI2
  • Right click Operational
  • Click Enable Log
  • Reproduce your issue
  • Disable logging by following the above steps but Enable Log will turn into Disable Log
  • Save the log, if desired, for analysis on another system.

If you want to enable verbose mode (do this if standard logging isn't helping), there are 2 registry keys to set at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32:

  • 64-bit QWORD DiagLevel to (hex) 5 (the 0x0000000 can be ignored)
  • 32-bit DWORD DiagMatchAnyMask to (hex) 0x00ffffff

Hope this helps your troubleshooting of PKI.

— Easy link to my blog:
If you like my blogs, please share it on social media and/or leave a comment.