Configure logging level for the certification authority event log.

Some Windows events generated by the certification authority are only generated from a certain logging level.

The following describes how to determine and change the logging level of a certification authority.

The logging level is stored under the following registration key of the certification authority.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\LogLevel

It can also be determined with the following command line command:

certutil -getreg CA\LogLevel

The default value is 3 (ERTLOG_WARNING).

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The numerical values are translated into the following variables:

ValueMeaningAdditional
Events
0CERTLOG_MINIMAL
1CERTLOG_TERSE
2CERTLOG_ERROR
3CERTLOG_WARNING(default setting)
4CERTLOG_VERBOSE52, 68, 69, 70, 71, 72, 73, 76, 97
5CERTLOG_EXHAUSTIVE

The log level can be changed with the following command line command:

certutil -setreg ca\Loglevel {LogLevel}

Increasing the logging level can generate a lot of events. Accordingly, it should be ensured that the event log can grow accordingly. Otherwise, earlier events will be overwritten. It is advisable to increase the logging level only temporarily.

Afterwards, the certification authority service must be restarted.

Restart-Service -ServiceName CertSvc

Related links:

External sources

en_USEnglish