none
WHO REVOKED MY CERTIFICATE

    Question

  • Even id 4870 (windows 2008 R2) Certificate Authority Server is generated when a certificate is revoked.

    The only information it carries is which certificate was revoked. It does not tells WHO revoked the certificate.

    Is there a way or any other event which can help in finding out who revoked the certificates?

    Auditing is already enabled.

    jeudi 23 février 2012 10:34

Réponses

  • if you have Auditing enabled (on the Auditing tab of the AD CS properties), and you have the Certification Services audit subcategory enabled (see AUDITPOL or Advanced Audit Policy Configuration in GPO) or just the whole Object Access category - you will see the revocation events in the Security event log. And these log entries record the user identity who did the revocation.

    ondrej.

    • Marqué comme réponse Bruce-Liu jeudi 1 mars 2012 09:30
    lundi 27 février 2012 11:51

Toutes les réponses