You can increase the logging level of the Certificate service in the event log for troubleshooting.
This causes Certificate services to log more frequent and verbose Application Event log entries.
To increase the logging level of the Certificate service, run the command:
certutil -setreg ca\loglevel logginglevel where logginglevel is the level you want to use, and then restart the service.
The following ranges are available:
0 CERTLOG_MINIMAL
1 CERTLOG_TERSE
2 CERTLOG_ERROR
3 CERTLOG_WARNING (Default)
4 CERTLOG_VERBOSE
taken from
http://support.microsoft.com/kb/305018and don't forget to restart the certificate services

If you use CLM you may also want to set the loglevel for the Policy and Exit modules:
Policy moduleAdd a string value named
Microsoft.Clm.PolicyModule to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\PolicyModules\Clm.Policy Exit moduleAdd a string value named
Microsoft.Clm.ExitModule in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\ExitModules\Clm.ExitSet the string value to the desired logging level (Info, Warning, Error or verbose), and then restart the CLM Service to apply the trace logging settings.
Policy module pluginsIf you need logging for the CLM policy module plugins, you must create a config file.
Enabling trace logging for the policy module plug-ins causes CLM 2007 to write the error output to the system debug stream, viewable using
DebugView.
To enable trace logging, you must create a config file for
certsrv.exe file in the
C:\WINDOWS\system32 folder.
Create a new text document and name it
certsrv.exe.config;
open the new file and copy/paste the following configuration information (It's standard .NET tracing):
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.diagnostics>
<trace autoflush="true" indentsize="2" />
<switches>
<add name="Microsoft.Clm.PolicyModulePlugins" value="4" />
</switches>
</system.diagnostics>
</configuration>