Hello, @Mike Bruno ,
Thank you for posting here.
Based on my test in lab, we need to configure two audit group policy settings:
1.To audit events, the computer must be configured for auditing certification services. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Object Access\ Audit Certification Services.
2.To audit events, the computer must also be configured for auditing of object access. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies.
We can enable role separation by entering the following certutil command and then restarting Active Directory Certificate Services (AD CS):
certutil -setreg CA\RoleSeparationEnabled 1
Similarly, to disable role separation, a local administrator on the CA server can enter
certutil -delreg CA\RoleSeparationEnabled
Tip: my CA is Windows server 2019, and the Event ID is **4897 when I turn Role Separation on or off.**
For more information, we can refer to the links below.
Q: How can I make sure that a given Windows account is assigned only a single Certification Authority (CA) management role?
https://www.itprotoday.com/security/q-how-can-i-make-sure-given-windows-account-assigned-only-single-certification-authority-ca
Configure CA Event Auditing
https://video2.skills-academy.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772451(v=ws.10)?redirectedfrom=MSDN
Hope the information above is helpful.
Best Regards,
Daisy Zhou