To monitor digital certificates with Wazuh FIM, configure the syscheck module to watch the paths where .pfx, .p12 and .cer files are stored. Any modification or deletion triggers an immediate alert and meets ISO 27001 A.8.24 and ENS mp.com.3.
How do you detect changes to digital certificates with Wazuh FIM?
In this hands-on lab we modify and delete a certificate on Windows to see how FIM (File Integrity Monitoring) detects the changes and what information it surfaces in the Wazuh dashboard.
Video: FIM Dashboard - Certificates
12 minutes - Hands-on ISO 27001 and ENS lab
See it on the Wazuh pageGet the full video with our Wazuh services
Regulatory framework: why it is mandatory
ISO 27001 - Control A.8.24
Cryptographic certificates must be protected, controlled and audited. Any change to them must be logged.
ENS - Measure mp.com.3
Protection of authenticity and integrity: cryptographic mechanisms must be protected against unauthorized modification.
In practice: If an auditor asks whether you control who can touch your certificates and whether you keep a record of any modification, the answer has to be yes. This lab is exactly that demonstration.
syscheck configuration on the Windows agent
Edit the ossec.conf file of the Windows agent:
<syscheck>
<frequency>300</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Monitoring of the corporate certificate -->
<directories realtime="yes"
check_all="yes"
report_changes="yes">C:\Users\Administrador\Documents\Certificados\CertificadoEmpresa.pfx</directories>
<!-- Windows certificate store -->
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography</windows_registry>
</syscheck>Explanation:
realtime="yes": Detects changes instantlycheck_all="yes": Verifies hash, permissions, owner and sizereport_changes="yes": Enables VirusTotal analysis if integratedwindows_registry: Watches the system certificate store
Restart the agent service on Windows:
Restart-Service WazuhSvcCustom rule for critical certificates
On the Wazuh server, edit the local rules file:
nano /var/ossec/etc/rules/local_rules.xmlAdd this rule:
<group name="syscheck,certificate_monitor,">
<rule id="100200" level="13">
<if_sid>553</if_sid>
<field name="syscheck.path">\.pfx$|\.p12$|\.cer$|\.key$</field>
<description>CRITICO: Certificado digital eliminado - $(syscheck.path)</description>
<mitre>
<id>T1485</id>
</mitre>
<group>certificate,integrity,gdpr_II_5.1.f,hipaa_164.312.c.1,pci_dss_11.5,</group>
</rule>
</group>Explanation:
if_sid 553: Triggers when FIM detects a deleted filelevel="13": Critical level (highest priority)syscheck.path: Filters on certificate extensions (.pfx, .p12, .cer, .key)MITRE T1485: Data Destructiongroup: Compliance tags for GDPR, HIPAA and PCI-DSS
Restart the manager:
systemctl restart wazuh-managerFIM dashboard: what information it provides
When a certificate is modified or deleted, the Endpoint Security → File Integrity Monitoring dashboard shows:
- Event: added, modified or deleted
- Full path of the affected file
- SHA256 hash before and after (if modified)
- User who performed the action
- Exact timestamp
- Permission changes, if any
Compliance summary
| Regulation | Control | Coverage |
| ISO 27001 | A.8.24 | Management of cryptographic certificates |
| ENS | mp.com.3 | Protection of authenticity and integrity |
| PCI-DSS | 11.5 | Integrity monitoring |
| GDPR | Art. 5.1.f | Integrity and confidentiality |
Next steps
A full Wazuh deployment also covers dashboards like Configuration Assessment, Malware Detection and Threat Hunting. Discover our Wazuh services.