Instructions - PKI - CAPI2 Log


These settings and registry values allow you to capture logging around CAPI (Certificate API) processing related to digital certificates. They are especially useful if you suspect that a certificate in a chain is invalid and causing you grief. Windows is frankly less than stellar about ease-of-use with CAPI logging/diagnostics and these procedures represent the only way to get the visibility required.

An example of how less than stellar is this: If you enable verbose logging in order to capture certificates processed by the Cryptographic Service, if the actor processing the certificates is user SYSTEM then those certificates will be placed in a subfolder of user SYSTEM's '%USERPROFILE%' that only user SYSTEM has access to. Observing other write-ups on the Internet about this subject, you might look in your user account's '%USERPROFILE%' folder tree for the 'X509Objects' subfolder and wonder why it isn't there. If this sounds like you, then to access this folder request the document:  Instructions--SYSTEM.Access.html

I need to fully delineate the below operations and will at a future time. At this point the skeleton is below.


Troubleshooting PKI Problems on Windows

Configure Log


    • Event Viewer (Local) | Applications and Services Logs | Microsoft | Windows | CAPI2, right-click Operational:
        · Select: Enable Log
        · Ensure Maximum log size ( KB ): = 102400.
        · Ensure Overwrite events as needed (oldest events first) is selected.

    Command Line

    • Enable logging:
        · wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
    • Save the log to a file:
        · wevtutil.exe epl Microsoft-Windows-CAPI2/Operational filename.evtx
    • Disable logging:
        · wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
    • Clear logs:
        · wevtutil.exe cl Microsoft-Windows-CAPI2/Operational
    • Increase the log size:
        · wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:log-size-in-bytes

    Log Level

    • Standard:
        · Level 2: Error
        · Level 4: Success

    • Verbose:
        · Level 5: Verbose
            · Links to binary X.509 objects are available in the log.
            · Binary X.509 objects are available in the file system: %USERPROFILE%\AppData\LocalLow\Microsoft\X509Objects
                · Enable verbose logging:
                    · HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\crypt32
                        · DiagLevel | REG_DWORD | 5
                        · DiagMatchAnyMask | REG_QWORD | ffffff
                            · To log events only for specific keywords, adjust the mask in DiagMatchAnyMask.
                        · DiagProcessName | REG_MULTI_SZ | process names

                    · .reg file:


Any external referenced material in this document is hyperlinked. Authors responsible for referenced work should be sought through the reference(s) listed.

I am Christopher Etter, a Professional Services consultant.

Because you are using this, I welcome you as my customer. These documents are free for you to use. I work diligently to serve you with material such as this. I would appreciate it if PSPRO (professionalservices.pro), my name, and this 'Credits' section remain attached to this work so that I accrue name recognition via your success and peer recommendation. Thank you very much, and I hope this document helps you solve your current information technology issue!