╔═══════════════════════════════════════ ║ Instructions - PKI - CAPI2 Log ┌─────────────────────────────────────── │ Plainspeak These settings and registry values allow you to capture logging around CAPI (Certificate API) processing related to digital certificates. They are especially useful if you suspect that a certificate in a chain is invalid and causing you grief. Windows is frankly less than stellar about ease-of-use with CAPI logging/diagnostics and these procedures represent the only way to get the visibility required. An example of how less than stellar is this: If you enable verbose logging in order to capture certificates processed by the Cryptographic Service, if the actor processing the certificates is user SYSTEM then those certificates will be placed in a subfolder of user SYSTEM's '%USERPROFILE%' that only user SYSTEM has access to. Observing other write-ups on the Internet about this subject, you might look in your user account's '%USERPROFILE%' folder tree for the 'X509Objects' subfolder and wonder why it isn't there. If this sounds like you, then to access this folder request the document:  Instructions--SYSTEM.Access.html I need to fully delineate the below operations and will at a future time. At this point the skeleton is below. ┌─────────────────────────────────────── │ References • Troubleshooting PKI Problems on Windows • Instructions--SYSTEM.Access.html ┌─────────────────────────────────────── │ Configure Log     ____________________     GUI     • Event Viewer (Local) | Applications and Services Logs | Microsoft | Windows | CAPI2, right-click Operational:         · Select: Enable Log         · Ensure Maximum log size ( KB ): = 102400.         · Ensure Overwrite events as needed (oldest events first) is selected.     ____________________     Command Line     • Enable logging:         · wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true     • Save the log to a file:         · wevtutil.exe epl Microsoft-Windows-CAPI2/Operational filename.evtx     • Disable logging:         · wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false     • Clear logs:         · wevtutil.exe cl Microsoft-Windows-CAPI2/Operational     • Increase the log size:         · wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:log-size-in-bytes     ____________________     Log Level     • Standard:         · Level 2: Error         · Level 4: Success     • Verbose:         · Level 5: Verbose             · Links to binary X.509 objects are available in the log.             · Binary X.509 objects are available in the file system: %USERPROFILE%\AppData\LocalLow\Microsoft\X509Objects                 · Enable verbose logging:                     · HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\crypt32                         · DiagLevel | REG_DWORD | 5                         · DiagMatchAnyMask | REG_QWORD | ffffff                             · To log events only for specific keywords, adjust the mask in DiagMatchAnyMask.                         · DiagProcessName | REG_MULTI_SZ | process names                     · .reg file:                         [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\crypt32]                         "DiagLevel"=dword:00000005                         "DiagMatchAnyMask"=hex(b):ff,ff,ff,00,00,00,00,00 ┌─────────────────────────────────────── │ Credits Any external referenced material in this document is hyperlinked. Authors responsible for referenced work should be sought through the reference(s) listed. I am Christopher Etter, a Professional Services consultant. Because you are using this, I welcome you as my customer. These documents are free for you to use. I work diligently to serve you with material such as this. I would appreciate it if PSPRO (professionalservices.pro), my name, and this 'Credits' section remain attached to this work so that I accrue name recognition via your success and peer recommendation. Thank you very much, and I hope this document helps you solve your current information technology issue!