ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Certificate Authority management console displaying PKI certificate services and security audit logs
Event ID 4882InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4882 – Security: Certificate Services Received a Certificate Request

Event ID 4882 logs when Active Directory Certificate Services receives a certificate request. This security audit event tracks certificate enrollment activity and helps monitor PKI operations in Windows environments.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4882Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4882 represents a fundamental component of Windows PKI security auditing. When a client submits a certificate request to Active Directory Certificate Services, the CA server logs this event to provide administrators with comprehensive visibility into certificate enrollment activity. The event captures critical metadata about each request, including the requesting user's identity, the certificate template being used, and the method of submission.

This event plays a vital role in PKI security monitoring and compliance. Organizations use Event ID 4882 logs to detect unusual certificate request patterns, investigate potential security incidents, and maintain audit trails for regulatory compliance. The event provides the foundation for understanding certificate enrollment behavior across the enterprise, helping administrators identify both legitimate business needs and potential security threats.

The event structure includes detailed information about the certificate request, such as the subject distinguished name, certificate template name, and request attributes. This granular data enables administrators to correlate certificate requests with business processes and security policies. Event ID 4882 works in conjunction with other PKI-related events to provide a complete picture of certificate lifecycle management within the Windows environment.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025
Analysis

Possible Causes

  • User or computer requesting a certificate through the Certificates MMC snap-in
  • Automatic certificate enrollment triggered by Group Policy
  • Application programmatically requesting certificates via CAPI or CNG APIs
  • Web-based certificate enrollment through the Certificate Authority web interface
  • Certificate request submitted via certreq.exe command-line tool
  • Smart card enrollment or renewal processes
  • Exchange Server requesting certificates for mail encryption
  • IIS web server requesting SSL/TLS certificates
  • Domain controller requesting authentication certificates
  • Third-party applications integrating with Windows PKI infrastructure
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4882 to understand the certificate request context.

  1. Open Event Viewer on the Certificate Authority server
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4882 using the filter option
  4. Double-click on a recent Event ID 4882 entry
  5. Review the event details, focusing on:
    • Subject Name: The requested certificate subject
    • Template Name: Certificate template used
    • Requester: User or computer making the request
    • Request ID: Unique identifier for tracking

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4882} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='Subject';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Subject Name:*'}) -replace 'Subject Name:', ''}}
Pro tip: Cross-reference the Request ID with Certificate Authority management tools to track the request's approval status.
02

Analyze Certificate Request Patterns

Examine certificate request patterns to identify trends, anomalies, or potential security issues.

  1. Generate a comprehensive report of certificate requests over a specific timeframe:
$StartDate = (Get-Date).AddDays(-30)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4882; StartTime=$StartDate}
$RequestData = $Events | ForEach-Object {
    $Message = $_.Message
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        Requester = ($Message | Select-String 'Account Name:\s*(.+)').Matches[0].Groups[1].Value
        Template = ($Message | Select-String 'Template:\s*(.+)').Matches[0].Groups[1].Value
        Subject = ($Message | Select-String 'Subject Name:\s*(.+)').Matches[0].Groups[1].Value
    }
}
$RequestData | Export-Csv -Path "C:\Temp\CertificateRequests.csv" -NoTypeInformation
  1. Analyze the exported data for:
    • Unusual request volumes from specific users
    • Requests for sensitive certificate templates
    • Off-hours certificate request activity
    • Requests from unexpected sources
  2. Create frequency analysis:
$RequestData | Group-Object Requester | Sort-Object Count -Descending | Select-Object Name, Count
Warning: High-volume certificate requests from a single account may indicate compromised credentials or malicious activity.
03

Configure Advanced PKI Auditing

Enhance PKI monitoring by configuring comprehensive certificate services auditing policies.

  1. Open Group Policy Management Console on a domain controller
  2. Navigate to the appropriate GPO for Certificate Authority servers
  3. Go to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  4. Expand Object Access and configure:
    • Audit Certificate Services: Enable Success and Failure
    • Audit Other Object Access Events: Enable Success and Failure
  5. Apply the policy and run gpupdate /force on CA servers
  6. Verify audit settings using PowerShell:
auditpol /get /subcategory:"Certificate Services"
  1. Configure additional PKI-specific logging by modifying the Certificate Authority registry:
Set-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\YourCAName" -Name "AuditFilter" -Value 127 -Type DWord

This enables comprehensive certificate services auditing including request submissions, approvals, and denials.

Pro tip: Use Windows Event Forwarding to centralize PKI audit logs from multiple Certificate Authority servers for easier analysis.
04

Implement Certificate Request Monitoring Automation

Create automated monitoring solutions to track and alert on certificate request activities.

  1. Create a PowerShell script for continuous monitoring:
# CertificateRequestMonitor.ps1
param(
    [int]$MonitoringIntervalMinutes = 15,
    [string]$AlertThreshold = 10
)

while ($true) {
    $StartTime = (Get-Date).AddMinutes(-$MonitoringIntervalMinutes)
    $RecentRequests = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        Id=4882
        StartTime=$StartTime
    } -ErrorAction SilentlyContinue
    
    if ($RecentRequests.Count -gt $AlertThreshold) {
        $AlertMessage = "High certificate request activity detected: $($RecentRequests.Count) requests in last $MonitoringIntervalMinutes minutes"
        Write-EventLog -LogName Application -Source "PKI Monitor" -EventId 1001 -EntryType Warning -Message $AlertMessage
        
        # Send email alert (configure SMTP settings)
        Send-MailMessage -To "admin@company.com" -From "pkimonitor@company.com" -Subject "PKI Alert" -Body $AlertMessage -SmtpServer "mail.company.com"
    }
    
    Start-Sleep -Seconds (60 * $MonitoringIntervalMinutes)
}
  1. Create a scheduled task to run the monitoring script:
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\CertificateRequestMonitor.ps1"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "PKI Request Monitor" -Action $Action -Trigger $Trigger -Principal $Principal
  1. Configure Windows Event Subscriptions for centralized monitoring:
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>PKI-Certificate-Requests</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4882]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>
05

Integrate with SIEM and Security Analytics

Implement advanced security monitoring by integrating Event ID 4882 with Security Information and Event Management (SIEM) systems.

  1. Configure Windows Event Forwarding to send PKI events to a central collector:
# On the collector server
wecutil qc /q
wecutil cs PKI-Subscription.xml
  1. Create custom detection rules for suspicious certificate request patterns:
# Example: Detect certificate requests outside business hours
$BusinessHourStart = 8
$BusinessHourEnd = 18
$SuspiciousRequests = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4882} -MaxEvents 1000 | Where-Object {
    $_.TimeCreated.Hour -lt $BusinessHourStart -or $_.TimeCreated.Hour -gt $BusinessHourEnd
}

if ($SuspiciousRequests) {
    $SuspiciousRequests | ForEach-Object {
        $EventData = [xml]$_.ToXml()
        $Subject = $EventData.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectName'} | Select-Object -ExpandProperty '#text'
        Write-Host "Suspicious after-hours certificate request for: $Subject at $($_.TimeCreated)"
    }
}
  1. Configure log shipping to SIEM platforms using PowerShell:
# Export events in JSON format for SIEM ingestion
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4882} -MaxEvents 100
$JsonEvents = $Events | ForEach-Object {
    @{
        timestamp = $_.TimeCreated.ToString('yyyy-MM-ddTHH:mm:ss.fffZ')
        event_id = $_.Id
        level = $_.LevelDisplayName
        source = $_.ProviderName
        message = $_.Message
        computer = $_.MachineName
    }
} | ConvertTo-Json -Depth 3

$JsonEvents | Out-File -FilePath "C:\Logs\PKI-Events-$(Get-Date -Format 'yyyyMMdd-HHmmss').json"
  1. Set up correlation rules to detect certificate-based attacks:
  2. Monitor for patterns indicating:
    • Mass certificate requests from compromised accounts
    • Requests for certificates with suspicious subject names
    • Certificate requests correlating with other security events
    • Unusual geographic patterns in certificate requests
Warning: Ensure SIEM integration doesn't overwhelm log storage capacity, especially in high-volume PKI environments.

Overview

Event ID 4882 fires when Active Directory Certificate Services (AD CS) receives a certificate request from a client. This security audit event is part of Windows PKI monitoring and appears in the Security log on Certificate Authority servers. The event captures essential details about certificate enrollment attempts, including the requesting user, certificate template, and submission method.

This event is crucial for PKI security monitoring as it provides visibility into certificate request activity across your organization. System administrators use Event ID 4882 to track certificate enrollment patterns, identify unauthorized certificate requests, and troubleshoot PKI issues. The event fires regardless of whether the certificate request is approved, denied, or pending, making it valuable for comprehensive certificate lifecycle auditing.

Certificate Services generates this event on servers running the Certificate Authority role service. The event contains detailed information about the request, including the subject name, certificate template used, and the security context of the requesting user. This data helps administrators maintain PKI security and compliance requirements.

Frequently Asked Questions

What does Event ID 4882 mean and when does it occur?+
Event ID 4882 indicates that Active Directory Certificate Services received a certificate request. This event fires every time a client submits a certificate request to a Certificate Authority server, regardless of whether the request is approved, denied, or pending. The event captures essential details about the request including the requesting user, certificate template, subject name, and submission method. It's a security audit event that helps administrators track PKI activity and maintain certificate lifecycle visibility across the organization.
How can I identify suspicious certificate request activity using Event ID 4882?+
Monitor Event ID 4882 for unusual patterns such as high-volume requests from single accounts, requests outside business hours, or requests for sensitive certificate templates. Use PowerShell to analyze request frequency by user and template type. Look for requests with suspicious subject names, requests from unexpected sources, or correlation with other security events. Implement automated monitoring to alert on threshold violations and establish baselines for normal certificate request activity in your environment.
Can Event ID 4882 help with PKI security compliance and auditing?+
Yes, Event ID 4882 is essential for PKI compliance and auditing. It provides a complete audit trail of certificate requests, including who requested certificates, when requests occurred, and which templates were used. This information supports regulatory compliance requirements like SOX, HIPAA, and PCI DSS. The event data helps demonstrate proper certificate lifecycle management, supports forensic investigations, and provides evidence of PKI security controls. Many compliance frameworks require detailed logging of certificate operations, which Event ID 4882 directly addresses.
What information is included in Event ID 4882 and how do I extract it?+
Event ID 4882 contains detailed information including the requester's account name and domain, certificate subject name, certificate template used, request ID for tracking, submission method, and timestamp. Extract this data using PowerShell with Get-WinEvent and parse the message content using regular expressions or XML parsing. The event also includes security context information and request attributes. Use structured queries to filter and analyze this data for reporting, monitoring, and security analysis purposes.
How do I troubleshoot missing or excessive Event ID 4882 entries?+
Missing Event ID 4882 entries typically indicate disabled security auditing or insufficient audit policy configuration. Verify that Certificate Services auditing is enabled in Group Policy under Advanced Audit Policy Configuration. Check the AuditFilter registry value on the CA server and ensure it includes certificate request auditing. Excessive entries may indicate automated certificate enrollment, compromised accounts, or misconfigured applications. Review certificate templates for automatic enrollment settings and investigate high-volume requesters. Use Event Viewer filtering and PowerShell analysis to identify the source of excessive requests.
Documentation

References (2)

1
Microsoft Learn - Certificate Services Security AuditingOfficial Microsoft documentation covering Certificate Services security auditing configuration and best practiceshttps://learn.microsoft.com/en-us/windows-server/identity/ad-cs/security-auditing
2
Windows Security Audit Events ReferenceComprehensive reference for Windows security audit events including PKI-related eventshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4882#certificate-services#pki-security

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...