Details of the event with ID 5125 of the source Microsoft-Windows-Security-Auditing

Event Source:Microsoft Windows Security Auditing
Event ID:5125 (0x1405)
Event log:Security
Event type:Information
Event text (English):A request was submitted to OCSP Responder Service.
Event text (German):A request is transmitted to the OCSP response service.

Parameter

The parameters contained in the event text are filled with the following fields:

  • %1: SubjectUserSid (win:SID)
  • %2: SubjectUserName (win:UnicodeString)
  • %3: SubjectDomainName (win:UnicodeString)
  • %4: SubjectLogonId (win:HexInt64)

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Example events

A request was submitted to OCSP Responder Service.
Certificate Serial Number: 73000000ab6b883da4b84844b80000000000ab
Issuer CA Name: CN=ADCS Labor Issuing CA 1, OU=IT, O=ADCS Labor, L=Munich, S=Bavaria, C=DE
Revocation Status: Good
A request was submitted to OCSP Responder Service.
Certificate Serial Number: 1940dca79adf43b64a043106ed6f3571
Issuer CA Name: CN=ADCS Labor Issuing CA 1, OU=IT, O=ADCS Labor, L=Munich, S=Bavaria, C=DE
Revocation Status: Unknown

Description

This event is only triggered when the Audit logging is enabled for the online responder and configured to log requests to the responder.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Revocation Status: Good

Is generated if the requested serial number is known and is not entered on a valid revocation list. Without deterministic "good", this response has no significance as to whether the certificate was issued by the certification authority at all.

Revocation Status: Revoked

Generated if the requested serial number is known and found in a valid blacklist.

Revocation Status: Unknown

Generated when the requested serial number is not known to the online responder.

In conjunction with the deterministic "good", this may indicate that a certificate is in circulation that is was not signed by the certification authority, for example, if their private key has been compromised.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

Is the online responder for a "Deterministic Good" is configured, an event with status "Unknown" may indicate that a certificate not issued by one of the configured certificate authorities was requested.

Another indication can be the serial number of the certificate. The serial numbers of a certificate issued by a Microsoft certification authority always have a common prefix (see also article "How is the serial number of a certificate formed?"). If the prefix of the serial number of the checked certificate differs, this may also indicate that a certificate not issued by one of the configured certificate authorities was requested.

You should also be alerted if certificates with the status "Revoked" (too frequent) are requested.

Related links:

External sources

en_USEnglish