Share via

FIM Reference: Logging for Certificate Management

  • Article

Overview

There are two facets of logging that may be gathered for CM issues. There is the CM log on the CM server itself. There is logging that may be enabled on a certificate server as well. The CA logging is useful when CM is communicating with a CA when the issue is encountered (e.g. policy module denies request).

CM LOGGING

The FIM CM Logging is well documented.
How to Capture a Verbose Log for CLM or FIM CM

CA LOGGING

The CA logging is a combination of registry settings, event logging, and a service restart. Below are the commands used on a CA to enable/disable logging. I also have two batch files to do the same. Please test the batch files. If they work we can add this to our SDP.

Link to the zip containing batch files and a readme.

Certificate Services logging, including policy and exit modules, is configured in the following three registry locations.

  1. HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\[CA Name]
  2. HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\[CA Name]\PolicyModules
  3. HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\[CA Name]\ExitModules

   

The "debug" setting writes output to %systemroot%\certsrv.log.

The other settings write output to the appropriate event log.

Wevtutil command enables the operational CAPI2 event log.

The certificate services need to be restarted after either enabling or disabling the logging.

 

Enable:

certutil -f -setreg ca\debug 0xffffffff

certutil –setreg ca\loglevel 4

certutil -setreg ca\PolicyModules\CLM2.Policy Verbose

certutil -setreg ca\PolicyModules\CLM2.PolicyModule Verbose

certutil -setreg ca\PolicyModules\CLM2.PolicyModule.Dump Verbose

certutil -setreg ca\PolicyModules\CLM2.PolicyModulePlugins Verbose

certutil -setreg ca\ExitModules\CLME2.ExitModule Verbose

wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true

Net Stop Certsvc && Net Start Certsvc

   

Disable:

certutil -delreg ca\debug

certutil –setreg ca\loglevel 3

certutil -delreg ca\PolicyModules\CLM2.Policy

certutil -delreg ca\PolicyModules\CLM2.PolicyModule

certutil -delreg ca\PolicyModules\CLM2.PolicyModule.Dump

certutil -delreg ca\PolicyModules\CLM2.PolicyModulePlugins

certutil -delreg ca\ExitModules\CLME2.ExitModule

wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false

Net Stop Certsvc && Net Start Certsvc