╔═══════════════════════════════════════
║ Instructions - PKI - CAPI2 Log
┌───────────────────────────────────────
│ Plainspeak
These settings and registry values allow you to capture logging around CAPI (Certificate API) processing related to digital certificates. They are especially useful if you suspect that a certificate in a chain is invalid and causing you grief. Windows is frankly less than stellar about ease-of-use with CAPI logging/diagnostics and these procedures represent the only way to get the visibility required.
An example of how less than stellar is this: If you enable verbose logging in order to capture certificates processed by the Cryptographic Service, if the actor processing the certificates is user SYSTEM then those certificates will be placed in a subfolder of user SYSTEM's '%USERPROFILE%' that only user SYSTEM has access to. Observing other write-ups on the Internet about this subject, you might look in your user account's '%USERPROFILE%' folder tree for the 'X509Objects' subfolder and wonder why it isn't there. If this sounds like you, then to access this folder request the document: Instructions--SYSTEM.Access.html
I need to fully delineate the below operations and will at a future time. At this point the skeleton is below.
┌───────────────────────────────────────
│ References
• Troubleshooting PKI Problems on Windows
• Instructions--SYSTEM.Access.html
┌───────────────────────────────────────
│ Configure Log
____________________
GUI
• Event Viewer (Local) | Applications and Services Logs | Microsoft | Windows | CAPI2, right-click Operational:
· Select: Enable Log
· Ensure Maximum log size ( KB ): = 102400.
· Ensure Overwrite events as needed (oldest events first) is selected.
____________________
Command Line
• Enable logging:
· wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
• Save the log to a file:
· wevtutil.exe epl Microsoft-Windows-CAPI2/Operational filename.evtx
• Disable logging:
· wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
• Clear logs:
· wevtutil.exe cl Microsoft-Windows-CAPI2/Operational
• Increase the log size:
· wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:log-size-in-bytes
____________________
Log Level
• Standard:
· Level 2: Error
· Level 4: Success
• Verbose:
· Level 5: Verbose
· Links to binary X.509 objects are available in the log.
· Binary X.509 objects are available in the file system: %USERPROFILE%\AppData\LocalLow\Microsoft\X509Objects
· Enable verbose logging:
· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\crypt32
· DiagLevel | REG_DWORD | 5
· DiagMatchAnyMask | REG_QWORD | ffffff
· To log events only for specific keywords, adjust the mask in DiagMatchAnyMask.
· DiagProcessName | REG_MULTI_SZ | process names
· .reg file:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\crypt32]
"DiagLevel"=dword:00000005
"DiagMatchAnyMask"=hex(b):ff,ff,ff,00,00,00,00,00
┌───────────────────────────────────────
│ Credits
Any external referenced material in this document is hyperlinked. Authors responsible for referenced work should be sought through the reference(s) listed.
I am Christopher Etter, a Professional Services consultant.
Because you are using this, I welcome you as my customer. These documents are free for you to use. I work diligently to serve you with material such as this. I would appreciate it if PSPRO (professionalservices.pro), my name, and this 'Credits' section remain attached to this work so that I accrue name recognition via your success and peer recommendation. Thank you very much, and I hope this document helps you solve your current information technology issue!