Windows Security Log Event ID 4872

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Object Access
 • Certification Services
Type Success
Corresponding events
in Windows 2003
and before
 
Discussions on Event ID 4872
Ask a question about this event

4872: Certificate Services published the certificate revocation list (CRL)

On this page

Certification Authorities as a normal course of operation periodically publish an updated CRL and this event is logged at that time.

This event event is only logged if "Revoke certificates and publish CRLs" is enabled on the Audit tab of the CA's properties in Certificate Services MMC snap-in and of course if the Certificate Services audit subcategory is enabled with auditpol.

Base CRL: Yes or No - A base CRL is every certificate ever revoked; a delta CRL is an update to the base CRL and preceding deltas.

CRL Number: incremented each time CRL published

Key Container: unknown.  if you have information on this field please share it in a discussion below.

Next Publish: The next time an updated CRL will be published

Publish URLs: the URLs where the CRL was published including file system paths, ldap/Active Directory and on the web via http

Free Security Log Resources by Randy

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 4872

Certificate Services published the certificate revocation list (CRL).

Base CRL: Yes
CRL Number: 2
Key Container: acme-fr-WIN-857ZZX6RQHL-CA
Next Publish: 12/26/2007 5:38 AM 13.750s
Publish URLs: C:\Windows\system32\CertSrv\CertEnroll\acme-fr-WIN-857ZZX6RQHL-CA.crl; ldap:///CN=acme-fr-WIN-857ZZX6RQHL-CA,CN=WIN-857ZZX6RQHL,CN=CDP,CN=Public Key    Services,CN=Services,CN=Configuration,DC=acme-fr,DC=local;

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources