Windows Security Log Event ID 4870
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category
• Subcategory | Object Access
• Certification Services |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
|
4870: Certificate Services revoked a certificate
On this page
When an administrator revokes a certificate the certificate is moved to the Revoked Certificates folder and this event is logged. Reason for revocation noted below.
Unfortunately Windows does not report who revoked the certificate, just that it happened. To find out what certificate was revoked look in Revoked Certificates for the Serial Number reported herein.
Serial Number: the serial number of the certificate see the Details tab of the certificate's Properties dialog.
This event event is only logged if "Revoke certificates and publish CRLs" is enabled on the Audit tab of the CA's properties in Certificate Services MMC snap-in and of course if the Certificate Services audit subcategory is enabled with auditpol.
Free Security Log Resources by Randy
- Serial number: of the certificate
- Reason:
| 0 |
CRL_REASON_UNSPECIFIED |
No reason specified |
| 1 |
CRL_REASON_KEY_COMPROMISE |
subject's private key compromised |
| 2 |
CRL_REASON_CA_COMPROMISE |
CA's private key compromized |
| 3 |
CRL_REASON_AFFILIATION_CHANGED |
subject's name or other information in the certificate has changed |
| 4 |
CRL_REASON_SUPERSEDED |
certificate has been superseded |
| 5 |
CRL_REASON_CESSATION_OF_OPERATION |
certificate is no longer needed |
| 6 |
CRL_REASON_CERTIFICATE_HOLD |
certificate placed on hold |
Setup PowerShell Audit Log Forwarding in 4 Minutes