ExplainTheHack
← Back to AD CS Foundations

Abusing Misconfigured Certificate Templates Brief

Preconditions

A domain user with enrollment rights on a template that has: ENROLLEE_SUPPLIES_SUBJECT enabled, authentication-capable EKU, no manager approval, no authorized signatures. Enterprise CA must be in NTAuthCertificates.

Attacker Gain

A certificate that authenticates as any identity in the domain via PKINIT. Functionally equivalent to knowing the target's password, but survives password resets and can be valid for the template's entire validity period — often months or years.

Stakeholder Explanation

Your certificate authority has a template that lets anyone request an identity document claiming to be any person, including administrators. The document is automatically issued without review. The fix is changing the template settings so the system verifies the requester's identity.

Report Phrasing

Finding: Misconfigured Certificate Template Allows Arbitrary Identity Certificate Requests. Template [name] on CA [name] has ENROLLEE_SUPPLIES_SUBJECT enabled, Client Authentication EKU, enrollment by [group]. Attacker achieves domain compromise from standard user via PKINIT. Severity: Critical. Recommendation: Disable ENROLLEE_SUPPLIES_SUBJECT; restrict enrollment; enable manager approval.

Weak Explanation Patterns

  • Describing this as 'hacking the CA' — the CA is doing exactly what the template says
  • Citing ESC numbers without explaining the actual misconfiguration
  • Not explaining the certificate-to-TGT chain — the certificate alone is not the impact
  • Confusing this with template permission abuse — this exploits a pre-existing misconfiguration, not a modification