none
WHO REVOKED MY CERTIFICATE

    Question

  • Even id 4870 (windows 2008 R2) Certificate Authority Server is generated when a certificate is revoked.

    The only information it carries is which certificate was revoked. It does not tells WHO revoked the certificate.

    Is there a way or any other event which can help in finding out who revoked the certificates?

    Auditing is already enabled.

    Thursday, February 23, 2012 10:34 AM

Answers

  • if you have Auditing enabled (on the Auditing tab of the AD CS properties), and you have the Certification Services audit subcategory enabled (see AUDITPOL or Advanced Audit Policy Configuration in GPO) or just the whole Object Access category - you will see the revocation events in the Security event log. And these log entries record the user identity who did the revocation.

    ondrej.

    • Marked as answer by Bruce-Liu Thursday, March 01, 2012 9:30 AM
    Monday, February 27, 2012 11:51 AM

All replies