Skip to main content
The downloaded config.json already points log_file at the provider’s own directory, so you do not need to create C:\ProgramData\Futurex or edit the path. The default is:
config.json (default log_file)
Log account context. The FXCL CNG provider writes fxcl.log from whatever process loads the KSP: certutil/certreq (elevated admin) during enrollment, and Schannel (the lsass.exe SYSTEM context) during TLS handshakes. Both write the default C:\Program Files\Futurex\fxcl\kmes\cng location without any manual icacls grant on a standard Server 2022 install. Only add an explicit grant if you relocate log_file to a directory the SYSTEM account cannot write. (The NETWORK SERVICE grant in the Microsoft OCSP guide is specific to the Online Responder’s app-pool identity and does not apply to IIS TLS handshakes.)
1
For lab testing, set log_level to traffic in config.json so the appliance exchange is visible; set enable_debug_view as needed. For production, use log_level info and enable_debug_view false.
log_level: traffic writes the endpoint API key (a JWAPI: token) into every [Send] line of fxcl.log. Mask it before sharing logs.