CA Auditing

Applies To: Windows Server 2003 with SP1

Auditing certification authority (CA) operations is supported for Windows Server 2003 Enterprise Edition. The audit events will be logged in the Security log and can be viewed using the Event Viewer utility. CA auditing is dependent on system object access auditing, and therefore, it is necessary for the system administrator to first enable object access auditing on the target system.

CA auditing is enabled by selecting which group of CA operations to audit in the MMC snap-in. The following sections describe each group of CA operations that can be audited.

CA Audit Groups

The following group of events can be configured to be audited:

  • Back Up and Restore the CA Database

  • Change CA Configuration

  • Change CA Security Settings

  • Issue and Manage Certificate Requests

  • Revoke Certificates and Publish CRLs

  • Store and Retrieve Archived Keys

  • Start and Stop Certificate Services

Back Up and Restore the CA Database

By enabling auditing on this group, successful or failed attempts to back up the CA database will be logged to the system Security log. In addition, the CA service will detect on restart that the CA database has been restored. The restore events are logged to the system Security log.

Change CA Configuration

By enabling auditing on this group, successful or failed attempts to change CA configuration will be logged to the system Security log. This includes the following operations:

  • Add/Remove Templates to the CA

  • Configure the CRL Publication Schedule

  • Modify Request Disposition for the Policy Module

  • Modify Publish Cert Flags for the Exit Module

  • Configure CRL Distribution Points (CDP)

  • Configure Authority Information Access (AIA)

  • Change the Policy Module

  • Change the Exit Module

  • Configure Key Archival and Recovery (KAR)

Change CA Security Settings

By enabling auditing for this group, successful or failed attempts to change CA security settings will be logged to the system Security log. This includes the following operations:

  • Configure CA Roles for Role-Based Administration of the CA

  • Configure Restrictions on Certificate Managers

  • Configure CA Auditing

Issue and Manage Certificate Requests

By enabling auditing for this group, successful or failed attempts to issue and manage certificate requests will be logged to the system Security log. This includes the following operations:

  • Incoming Certificate Requests

  • Certificate Issuance

  • Certificate Import

  • Deletion of Rows in the CA Database

Revoke Certificates and Publish CRLs

By enabling auditing for this group, successful or failed attempts to revoke certificates and publish CRLs will be logged to the system Security log. This includes the following operations:

  • Certificate Revocation

  • CRL Publication

Store and Retrieve Archived Keys

By enabling auditing for this group, successful or failed attempts to store and retrieve archived keys will be logged to the system Security log. This includes the following operations:

  • Archival of Subject Keys

  • Retrieval of Subject Keys

Start and Stop Certificate Services

By enabling auditing for this group, successful or failed attempts to start and stop Certificate Services will be logged to the system Security log. This includes the following operations:

  • Starting Certificate Services

  • Stopping Certificate Services