Windows Security Log Event ID 4872

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Object Access
 • Certification Services
Type Success
Corresponding events
in Windows 2003
and before

4872: Certificate Services published the certificate revocation list (CRL)

On this page

Certification Authorities as a normal course of operation periodically publish an updated CRL and this event is logged at that time.

This event event is only logged if "Revoke certificates and publish CRLs" is enabled on the Audit tab of the CA's properties in Certificate Services MMC snap-in and of course if the Certificate Services audit subcategory is enabled with auditpol.

Base CRL: Yes or No - A base CRL is every certificate ever revoked; a delta CRL is an update to the base CRL and preceding deltas.

CRL Number: incremented each time CRL published

Key Container: unknown.  if you have information on this field please share it in a discussion below.

Next Publish: The next time an updated CRL will be published

Publish URLs: the URLs where the CRL was published including file system paths, ldap/Active Directory and on the web via http

Free Security Log Resources by Randy

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.



Examples of 4872

Certificate Services published the certificate revocation list (CRL).

Base CRL: Yes
CRL Number: 2
Key Container: acme-fr-WIN-857ZZX6RQHL-CA
Next Publish: 12/26/2007 5:38 AM 13.750s
Publish URLs: C:\Windows\system32\CertSrv\CertEnroll\acme-fr-WIN-857ZZX6RQHL-CA.crl; ldap:///CN=acme-fr-WIN-857ZZX6RQHL-CA,CN=WIN-857ZZX6RQHL,CN=CDP,CN=Public Key    Services,CN=Services,CN=Configuration,DC=acme-fr,DC=local;

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Upcoming Webinars
    Additional Resources