Hi, We are having Certificate Services running on Windows 2003 Server. We have defined few Recovery Agent and the private keys of those certificates are kept with us on removable media. I am looking for a way to audit the use of these recovery agent certificates. If any of the admin is using these certificates to decrypt a data in case the key is lost by the user then I should e able to track it. I have enabled auditing for all events in CA server. We do not have key arvchiving enabled. Please let me know if there is any way to do that

Actually this seems to be more suitable for Security forum: Here is Security forum link: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threadsBest Regards, Sandesh Dubey. MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Actually this seems to be more suitable for Security forum: Here is Security forum link: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threadsBest Regards, Sandesh Dubey. MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Auditing can be enabled from the Certification Authority snap-in by right-clicking the CA node, click Properties, clicking the Auditing tab, and click Store and retrieve archived keys. When auditing of key recovery events is enabled, an event for each key archival and recovery operation is recorded in the Security log. See the details here: Best Practices for Key Archival and Recovery http://technet.microsoft.com/en-us/library/ee449487(v=ws.10).aspx Regards, MiyaMiya Yao TechNet Community Support

Auditing can be enabled from the Certification Authority snap-in by right-clicking the CA node, click Properties, clicking the Auditing tab, and click Store and retrieve archived keys. When auditing of key recovery events is enabled, an event for each key archival and recovery operation is recorded in the Security log. See the details here: Best Practices for Key Archival and Recovery http://technet.microsoft.com/en-us/library/ee449487(v=ws.10).aspx Regards, MiyaMiya Yao TechNet Community Support

Hi Miya, I have already enabled the auditing and getting the logs for other events but when I am using the recovery agent cert I am not getting any log. These recovery keys are not archived but we have exported the certs manually and saved those in removable media.

Hi Miya, I have already enabled the auditing and getting the logs for other events but when I am using the recovery agent cert I am not getting any log. These recovery keys are not archived but we have exported the certs manually and saved those in removable media.

The auditing will only cover recovery events. Since you have not enabled key archival, you will not see any events. The import of the certificate into a profile is not audited. So you have to enable key archival, and then view the logs. Also, ensure that you have success and failure auditing for object access enabled, in addition to the auditing options on the CA properties tab Brian

The auditing will only cover recovery events. Since you have not enabled key archival, you will not see any events. The import of the certificate into a profile is not audited. So you have to enable key archival, and then view the logs. Also, ensure that you have success and failure auditing for object access enabled, in addition to the auditing options on the CA properties tab Brian