Reference article:

Enable CA auditing:

a) Start PKIview, select the CA and right-click Manage, on Properties, go to Audit tab and check all the boxes “Events to Audit”

Then use auditpol from a command line in admin mode:

b) auditpol /set /subcategory:”Certification Services” /success:enable /failure:enable

Event logs:

Microsoft-Windows-CertificationAuthority – Contains operational and installation events related to the CA. Object access auditing is not required for these events to be written to the Application log.

Microsoft-Windows-Security-Auditing – Contains numerous events related to the security and configuration of the CA. Object access auditing must be configured for Certification Services and an appropriate CA audit filter must be configured.

Event IDs:

Certificate Services loaded a template (Event ID 4898) – This event is triggered whenever a CA loads a template for the first time. For example, if a CA is configured with three templates, at startup this event will trigger for each template as it loads. If a fourth template is added while the CA is running, an event will be triggered on the first attempt to enroll the template on the CA.

A Certificate Services template was updated (Event ID 4899) – This event is triggered when a template loaded by the CA has an attribute updated and an enrollment is attempted for the template. For example, if an additional EKU is added to a template, this event would trigger and provide enough information to determine the change being made.

Certificate Services template security was updated (Event ID 4900) – This event is triggered when security permissions on a Certificate Template loaded on a CA are changed, and an enrollment event for the template occurs.

For the template change events to be recorded, configure the CA for auditing of CA events as described in Configuring Microsoft Windows Audit Policy and Configuring Certification Authority Auditing. In addition, enable the CA audit setting for “Change CA settings”, and enable a specific policy configuration. To set the policy configuration to enable audit of template events, run the following command:

certutil –setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD