Enable debug logging for Certificate Enrollment Policy Web Service (CEP)

Author Uwe GradeneggerPosted on Categories Troubleshooting, Certificate Enrollment Web ServicesTags , ,

When trying to track down an error in the Certificate Enrollment Policy Web Service (CEP), it is helpful to enable debug logging.

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

Installation log

During the installation (role configuration) the actions are written to the following log file. 

%WINDIR%\certocm.log

Enable debug logging

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Debug logging can be enabled with the following command: 

certutil -setreg enroll\debug 0xffffffe3

Before logging becomes active, the CEP service must be restarted with the iisreset command. 

iisreset

The log files are written to the following locations:

  • %WINDIR%\certenroll.logif the CEP service account has write permissions to this directory (if the account has local administrator rights, which should be avoided for security reasons).
  • %USERPROFILE%\certenroll.log if the CEP service account has no write permissions to the above directory.

Disable debug logging

Debug logging can be disabled again with the following command line command: 

certutil -delreg enroll\debug

Afterwards, a restart of the NDES service with the iisreset command is required again to stop logging.

en_USEnglish
de_DEDeutsch en_USEnglish