Share via

How to Capture Audit Events for Certificate Template Changes in AD CS

Anant Bera 271 Reputation points
2026-03-10T10:25:05.14+00:00

Hello Team,

We want to generate audit logs whenever a certificate template is created, modified, deleted, or published in our AD CS environment.

Auditing is already enabled on the CA server. Could you please confirm the recommended configuration to capture logs for these actions and the relevant event IDs for each activity (template creation, modification, deletion, and publishing/unpublishing)?

Thank you.

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tracy Le 3,555 Reputation points Independent Advisor
    2026-03-11T09:47:54.4233333+00:00

    Hi Anant Bera,

    I'm just checking in to see how your audit configuration is going. Were you able to successfully set up the directory object auditing in AD DS and capture those specific Event IDs (like 4891 and 4898) for your certificate templates?

    Please let me know if you run into any roadblocks while fine-tuning those audit policies or if you have any other questions. I'm always happy to help.

    Tracy.

    0 comments
  2. Tracy Le 3,555 Reputation points Independent Advisor
    2026-03-10T11:01:13.68+00:00

    Hi Anant Bera,

    Tracking down certificate template changes can be a bit tricky at first because of how Windows distributes these roles, but you are definitely on the right track.

    The most important concept to keep in mind here is that native Windows auditing does not emit a simple "Template Created" or "Template Deleted" event directly in the CA logs. This is because the actual templates live inside Active Directory (AD DS), not on the CA server itself. Therefore, if you want to capture when a template is explicitly created, modified, or deleted, you have to look at directory object changes. You will need to configure Directory Service / Object Access auditing directly on the CN=Certificate Templates container in your AD DS environment.

    However, tracking when a template is published or unpublished (meaning it is added to or removed from the CA's active list) is indeed a CA configuration event. Since you mentioned auditing is already enabled on your CA, you just need to ensure the scope is correct. Through your GPO, verify under Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access > Audit Certification Services that both Success and Failure are enabled. Additionally, right-click your CA in the Certification Authority MMC, go to Properties, and on the Auditing tab, ensure Change CA configuration is selected.

    Once your logging is properly scoped, you can set your SIEM or monitoring tools to alert on:

    Event ID 4891: This indicates a configuration entry changed in Certificate Services, which captures the exact moment templates are enabled or published on the CA.

    Event ID 4898: This pairs perfectly with the above, as it tells you exactly which certificate template definition the CA just loaded.

    I hope this helps clarify where to look for those specific actions! If these details helped point you in the right direction, please consider marking it as Accept Answer so this solution can help others in the community.

    Tracy.

    0 comments
  3. Q&A Assist
    2026-03-10T10:25:22.8866667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Configure auditing in two places: on the CA (AD CS) itself and in Advanced Audit Policy so that Certificate Services events are generated and collected.

    1. Configure Advanced Audit Policy for AD CS

    On a GPO that applies to the CA server:

    1. Go to: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Object Access → Audit Certification Services.
    2. Enable both Success and Failure.

    This setting causes Windows to generate Certificate Services operational events (including template-related operations) from the CA.

    1. Configure CA‑level auditing

    On the CA server:

    1. Open Certification Authority (MMC).
    2. Right‑click the CA → PropertiesAuditing tab.
    3. Select the events to audit (for template operations, typically include at least):
      • Change CA configuration (covers configuration changes, including template list changes on the CA).
      • Issue and manage certificate requests (for issuance behavior tied to templates).
    4. Select OK.

    Alternatively, configure the CA audit mask via PowerShell/command line and restart the service:

    certutil -setreg CA\AuditFilter 127
Restart-Service certsvc

    AuditFilter 127 enables all CA audit categories so that all Certificate Services events (including template configuration changes) are logged.

    1. Relevant event IDs for Certificate Services

    Once the above is configured, monitor the following Certificate Services events on the CA (Security log) for template‑related activity:

    • 4898 – Certificate Services loaded a template.
      Indicates that the CA has loaded a certificate template definition. This is relevant when templates are added/updated on the CA or when the CA refreshes its template list.
    • 4891 – A configuration entry changed in Certificate Services.
      Indicates a change to CA configuration. Changes to which templates are enabled/published on the CA (e.g., adding/removing templates from the CA’s list) are recorded as configuration changes and will appear under this event.

    Additional Certificate Services events that may be useful for broader CA monitoring (not strictly template create/modify/delete, but often correlated):

    • 4895 – Certificate Services published the CA certificate to Active Directory Domain Services.
    • 4886 – Certificate Services received a certificate request.
    • 4887 – Certificate Services approved a certificate request and issued a certificate.
    • 4888 – Certificate Services denied a certificate request.
    • 4889 – Certificate Services set the status of a certificate request to pending.
    1. Interpreting template operations

    Native Windows auditing does not emit a separate, explicit event like “Template X created” or “Template X deleted” in the CA logs. Instead:

    • Template creation/modification/deletion in AD DS (on the CN=Certificate Templates container) is captured as directory object changes, not CA events. These require appropriate Directory Service / Object Access auditing on that container (not covered in the provided context).
    • Template publishing/unpublishing on a CA (adding/removing templates from the CA’s list of issuable templates) is reflected as CA configuration changes and template loads:
      • Use 4891 (configuration entry changed) to detect when the CA’s configuration, including its enabled templates, is modified.
      • Use 4898 (template loaded) to see which templates the CA is loading/using.

    In practice, to track template publishing/unpublishing on a CA, alert on:

    • Event ID 4891 on the CA, and
    • Correlate with 4898 events (which templates are loaded after the change).

    With Audit Certification Services enabled (Success/Failure) and the CA’s Auditing tab configured (or AuditFilter 127), these events will be generated and can be collected by SIEM or monitoring tools.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.