When trying to track down an error in the Certificate Enrollment Policy Web Service (CEP), it is helpful to enable debug logging.
The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.
Installation log
During the installation (role configuration) the actions are written to the following log file.
%WINDIR%\certocm.log
Enable debug logging
Debug logging can be enabled with the following command:
certutil -setreg enroll\debug 0xffffffe3
Before logging becomes active, the CEP service must be restarted with the iisreset command.
iisreset
The log files are written to the following locations:
- %WINDIR%\certenroll.logif the CEP service account has write permissions to this directory (if the account has local administrator rights, which should be avoided for security reasons).
- %USERPROFILE%\certenroll.log if the CEP service account has no write permissions to the above directory.
Disable debug logging
Debug logging can be disabled again with the following command line command:
certutil -delreg enroll\debug
Afterwards, a restart of the NDES service with the iisreset command is required again to stop logging.
English 
Deutsch