| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 5125 (0x1405) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | A request was submitted to OCSP Responder Service. |
| Event text (German): | A request is transmitted to the OCSP response service. |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: SubjectUserSid (win:SID)
- %2: SubjectUserName (win:UnicodeString)
- %3: SubjectDomainName (win:UnicodeString)
- %4: SubjectLogonId (win:HexInt64)
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Example events
A request was submitted to OCSP Responder Service. Certificate Serial Number: 73000000ab6b883da4b84844b80000000000ab Issuer CA Name: CN=ADCS Labor Issuing CA 1, OU=IT, O=ADCS Labor, L=Munich, S=Bavaria, C=DE Revocation Status: Good
A request was submitted to OCSP Responder Service. Certificate Serial Number: 1940dca79adf43b64a043106ed6f3571 Issuer CA Name: CN=ADCS Labor Issuing CA 1, OU=IT, O=ADCS Labor, L=Munich, S=Bavaria, C=DE Revocation Status: Unknown
Description
This event is only triggered when the Audit logging is enabled for the online responder and configured to log requests to the responder.
Revocation Status: Good
Is generated if the requested serial number is known and is not entered on a valid revocation list. Without deterministic "good", this response has no significance as to whether the certificate was issued by the certification authority at all.
Revocation Status: Revoked
Generated if the requested serial number is known and found in a valid blacklist.
Revocation Status: Unknown
Generated when the requested serial number is not known to the online responder.
In conjunction with the deterministic "good", this may indicate that a certificate is in circulation that is was not signed by the certification authority, for example, if their private key has been compromised.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
Is the online responder for a "Deterministic Good" is configured, an event with status "Unknown" may indicate that a certificate not issued by one of the configured certificate authorities was requested.
Another indication can be the serial number of the certificate. The serial numbers of a certificate issued by a Microsoft certification authority always have a common prefix (see also article "How is the serial number of a certificate formed?"). If the prefix of the serial number of the checked certificate differs, this may also indicate that a certificate not issued by one of the configured certificate authorities was requested.
You should also be alerted if certificates with the status "Revoked" (too frequent) are requested.
Related links:
- Overview of audit events generated by the Certification Authority
- Overview of the audit events generated by the online responder (OCSP)
- Signing certificates bypassing the certification authority
English 
Deutsch
6 thoughts on “Details zum Ereignis mit ID 5125 der Quelle Microsoft-Windows-Security-Auditing”
Comments are closed.