{"id":1212,"date":"2025-03-17T16:26:47","date_gmt":"2025-03-17T15:26:47","guid":{"rendered":"https:\/\/blog.chrisse.se\/?p=1212"},"modified":"2025-03-17T17:35:09","modified_gmt":"2025-03-17T16:35:09","slug":"when-your-enterprise-pki-becomes-one-of-your-enemies-part-5","status":"publish","type":"post","link":"https:\/\/blog.chrisse.se\/?p=1212","title":{"rendered":"When your Enterprise PKI becomes one of your enemies (Part 5)"},"content":{"rendered":"\n<p><strong>Mitigate Authentication Mechanism Assurance (AMA) abuse<\/strong><br>In the last blog post series &#8211; <a href=\"https:\/\/blog.chrisse.se\/?p=1187\" data-type=\"link\" data-id=\"https:\/\/blog.chrisse.se\/?p=1187\">When your Enterprise PKI becomes one of your enemies (Part 4)<\/a> we vent trough how Authentication Mechanism Assurance (AMA) works and how it can be abused together with Public Key Infrastructure (PKI) to compromise an Active Directory forest if it&#8217;s not designed the right way.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"584\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-6-1024x584.png\" alt=\"\" class=\"wp-image-1213\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-6-1024x584.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-6-300x171.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-6-768x438.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-6-1536x876.png 1536w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-6.png 1554w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>One of the core issues here is that has been demonstrated in the previous blog article(s) is that AMA abuse can be performed by obtaining a certificate from a certificate authority that is trusted by the KDC (but not necessarily being trusted in NTAuth) &#8211; to summary the requirements again.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Obtain a certificate from a certificate authority (CA) that is trusted on the KDC and being able to supply the AMA Issuance Policy OID &#8211; this can be archived by:\n<ul class=\"wp-block-list\">\n<li>Certificate Template configured for &#8216;Supply in the request&#8217; &#8211; SITR<\/li>\n\n\n\n<li>Being able to write to at least one user account&#8217;s altSecId (altSecurityIdentities) attribute.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Using key-trust and obtain a certificate from a certificate authority (CA) that is trusted in NTAuth and being able to supply the AMA Issuance Policy OID &#8211; this can be archived by:\n<ul class=\"wp-block-list\">\n<li>Certificate Template configured for &#8216;Supply in the request&#8217; &#8211; SITR<\/li>\n\n\n\n<li>Being local administrator or being able to become SYSTEM on any domain member within the forest e.g. a regular client is enough. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>Note the privilege escalation using AMA abuse depends on the privilege that is linked to the &#8216;AMA Issuance Policy OID&#8217;<\/p>\n\n\n\n<p>So how can we mitigate those? <\/p>\n\n\n\n<p><strong>Mitigation 1: Un-trust &#8221;Issuing CA 2&#8243; on all Domain Controllers \/ Key Distribution Centers<\/strong><br>Let&#8217;s think a bit about the first scenario, (1.) &#8211; here it&#8217;s not even required that the certificate authority is trusted within NTAuth, it&#8217;s only enough that the CA is trusted on the KDCs. So even with our two Enterprise CA design where on of them (CA2 is NOT trusted in NTAuth) &#8211; where not going to be protected as &#8216;Issuing CA 2&#8217; is still an Enterprise CA and is going to be be rolled out to all domain members to the &#8216;intermediate certificate authorities&#8217; store including on domain controllers \/ kdc&#8217;s.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"363\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-1024x363.png\" alt=\"\" class=\"wp-image-1234\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-1024x363.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-300x106.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-768x272.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-1536x544.png 1536w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image.png 1646w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>One way to block this could be to to specifically &#8220;Un-trust&#8221;  the certificate authority (CA) on the domain controllers \/ kdc&#8217;s. This can be accomplished by adding the &#8216;Issuing CA 2&#8217; CA certificate to the &#8220;Untrusted Certificates&#8221; store on all domain controllers \/ kdc&#8217;s.<br><br>Note: This can be done using a Group Policy of course but it needs to be updated every time the CA certificate on &#8216;Issuing CA 2&#8217; is renewed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"534\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-1-1024x534.png\" alt=\"\" class=\"wp-image-1235\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-1-1024x534.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-1-300x156.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-1-768x400.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-1.png 1476w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>The real downside with this is the manual maintenance of blocking &#8216;Issuing CA2&#8217; as new certificates will be issued over time.<\/p>\n\n\n\n<p>Let&#8217;s try another approach<\/p>\n\n\n\n<p><strong>Mitigation 2 &#8211; Require an Issuance Policy<\/strong><\/p>\n\n\n\n<p>One way to mitigate the AMA abuse would be to ensure that no one can supply an issuance policy at all in certificates issued by &#8216;Issuing CA2&#8217; or any other certificate authority within the forest that is being trusted on domain controllers \/ kdc&#8217;s &#8211; that might be certificate authorities that host supply in the request (SITR) templates but is not limited to, It can also be standalone or 3rd party CAs.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"531\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-3-1024x531.png\" alt=\"\" class=\"wp-image-1239\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-3-1024x531.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-3-300x156.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-3-768x398.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-3.png 1526w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>By including your own Issuance Policy OID (Let&#8217;s call it &#8216;Low TLS Low Assurance Policy&#8217;) into &#8216;Issuing CA 2&#8217;s CA certificate and omitting the  &#8220;2.5.29.32.0&#8221; &#8211; All Issuance Policy, It becomes an enforcement that all leaf certificates issued by the CA  also needs to include your own Issuance Policy.  Since all leaf certificate needs to contain your own Issuance Policy OID it would by design be impossible to include the policy OID used by AMA, hence blocking any AMA abuse.<\/p>\n\n\n\n<p>So how is this implemented in the reality, well it depends on the type of certificate auhtority but for Active Directory Certificate Services (AD CS) &#8211; this would go into your capolicy.inf.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">CAPolicy.inf with Chrisse TLS Low Assurance Policy<\/span><span role=\"button\" tabindex=\"0\" data-code=\"[Version]\nSignature= &quot;$Windows NT$&quot;\n\n[BasicConstraintsExtension]\nPathlength = 0\nCritical = true\n\n[PolicyStatementExtension]\nPolicies = EnterpriseCA02Oid,LowIssuancePolicy\nCritical = 0\n\n[EnterpriseCA02Oid]\nNotice = &quot;Chrisse Issuing CA 2&quot;\nOID = 1.3.6.1.4.1.51467.2.1.2.1.3\n\n[LowIssuancePolicy]\nNotice = &quot;Chrisse TLS Low Assurance Policy&quot;\nOID = 1.3.6.1.4.1.51467.2.1.2.3.1\n\n[Certsrv_Server]\nRenewalKeyLength = 4096\nRenewalValidityPeriodUnits = 6\nRenewalValidityPeriod = years\nCRLPeriod = days\nCRLPeriodUnits = 3\nCRLDeltaPeriod = days\nCRLDeltaPeriodUnits = 0\nClockSkewMinutes = 20 \nLoadDefaultTemplates = 0\nAlternateSignatureAlgorithm = 0\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #24292eff\">[Version]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">Signature= &quot;$Windows NT$&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\"><\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">[BasicConstraintsExtension]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">Pathlength = 0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">Critical = true<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\"><\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">[PolicyStatementExtension]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">Policies = EnterpriseCA02Oid,LowIssuancePolicy<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">Critical = 0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\"><\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">[EnterpriseCA02Oid]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">Notice = &quot;Chrisse Issuing CA 2&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">OID = 1.3.6.1.4.1.51467.2.1.2.1.3<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\"><\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">[LowIssuancePolicy]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">Notice = &quot;Chrisse TLS Low Assurance Policy&quot;<\/span><\/span>\n<span class=\"line cbp-see-more-line \"><span style=\"color: #24292eff\">OID = 1.3.6.1.4.1.51467.2.1.2.3.1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\"><\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">[Certsrv_Server]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">RenewalKeyLength = 4096<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">RenewalValidityPeriodUnits = 6<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">RenewalValidityPeriod = years<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">CRLPeriod = days<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">CRLPeriodUnits = 3<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">CRLDeltaPeriod = days<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">CRLDeltaPeriodUnits = 0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">ClockSkewMinutes = 20 <\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">LoadDefaultTemplates = 0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292eff\">AlternateSignatureAlgorithm = 0<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Now to the downside of this mitigation approach &#8211; how do you ensure that the  &#8216;TLS Low Assurance Policy&#8217; is included in every leaf certificate, because if you don&#8217;t the issuance will fail. If you have an Active Directory Certificate Service (AD CS) &#8211; Enterprise CA as in this case &#8216;Issuing CA 2&#8217; is, it&#8217;s just not member of NTAuth, you can simply include this certificate policy in all templates that is being published on the &#8216;Issuing CA 2&#8217;, this also safeguards from someone mistakenly publishing a certificate template that do not belong their because if that template is missing the &#8216;TLS Low Assurance Policy&#8217;  it would again fail enrollment of any certificate using that template.<\/p>\n\n\n\n<p>But what about 3rd party CAs or Active Directory Certificate Services (AD CS) installed as a standalone certificate authority, well then it must be included in the request (CSR).<br>This can be done fairly simple with openssl:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">cmd<\/span><span role=\"button\" tabindex=\"0\" data-code=\"openssl req -new -subj &quot;\/CN=RHEL9&quot; -addext &quot;subjectAltName = DNS:RHEL9, DNS:RHEL9.eur.corp.chrisse.com&quot; -addext &quot;certificatePolicies = 1.3.6.1.4.1.51467.2.1.2.3.1&quot; -newkey rsa:2048 -keyout key.pem -out req.pem -nodes\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #24292eff\">openssl req -new -subj &quot;\/CN=RHEL9&quot; -addext &quot;subjectAltName = DNS:RHEL9, DNS:RHEL9.eur.corp.chrisse.com&quot; -addext &quot;certificatePolicies = 1.3.6.1.4.1.51467.2.1.2.3.1&quot; -newkey rsa:2048 -keyout key.pem -out req.pem -nodes<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>It&#8217;s a bit more complicated using native PowerShell, but relatively easy using Carl S\u00f6rqvist&#8217;s module.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">PowerShell<\/span><span role=\"button\" tabindex=\"0\" data-code=\"Import-Module -Name CertRequestTools\n$CA2 = &quot;nttest-ca-02.nttest.chrisse.com\\Chrisse Issuing CA 2&quot;  \n$IssuancePolicyExtension = New-CertificatePoliciesExtension -Oid &quot;1.3.6.1.4.1.51467.2.1.2.3.1&quot;\n \nNew-PrivateKey -RsaKeySize 2048 -KeyName ([Guid]::NewGuid()) `\n| New-CertificateRequest `\n    -Subject &quot;CN=DEMO3&quot; `\n    -UserPrincipalName &quot;caso@nttest.chrisse.com&quot; `\n    -OtherExtension $IssuancePolicyExtension `\n| Submit-CertificateRequest `\n    -ConfigString $CA2 `\n| Install-Certificate -Name My -Location CurrentUser\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">Import-Module<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Name CertRequestTools<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CA2 <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;nttest-ca-02.nttest.chrisse.com\\Chrisse Issuing CA 2&quot;<\/span><span style=\"color: #24292EFF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$IssuancePolicyExtension <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">New-CertificatePoliciesExtension<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Oid <\/span><span style=\"color: #22863A\">&quot;1.3.6.1.4.1.51467.2.1.2.3.1&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">New-PrivateKey<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">RsaKeySize <\/span><span style=\"color: #1976D2\">2048<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">KeyName ([<\/span><span style=\"color: #D32F2F\">Guid<\/span><span style=\"color: #24292EFF\">]::NewGuid()) <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">|<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">New-CertificateRequest<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Subject <\/span><span style=\"color: #22863A\">&quot;CN=DEMO3&quot;<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">UserPrincipalName <\/span><span style=\"color: #22863A\">&quot;caso@nttest.chrisse.com&quot;<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">OtherExtension $IssuancePolicyExtension <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">|<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">Submit-CertificateRequest<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">ConfigString $CA2 <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">|<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">Install-Certificate<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Name My <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Location CurrentUser<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p><strong>So an Enterprise CA can never be managed outside of T0<\/strong><br>Why? Let&#8217;s have a look at this scenario &#8211; assume that &#8216;Issuing CA 2&#8217; would not be managed from Tier 0 for a while:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"559\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-2-1024x559.png\" alt=\"\" class=\"wp-image-1237\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-2-1024x559.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-2-300x164.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-2-768x419.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-2.png 1420w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>In that scenario a Tier 1 administrator could logon to &#8216;Issuing CA 2&#8217; become SYSTEM and acting as the machines security context, Enterprise CAs are automatically added to the &#8216;Cert Publishers&#8217; Group and that group is always given &#8216;Full Control&#8217; to a Enterprise CAs &#8216;certificationAuthority&#8217; object within &#8216;CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=nttest,DC=chrisse,DC=com&#8217;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"632\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/Cert-Pub-1024x632.png\" alt=\"\" class=\"wp-image-1238\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/Cert-Pub-1024x632.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/Cert-Pub-300x185.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/Cert-Pub-768x474.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/Cert-Pub.png 1417w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>This is unfortunately hardcoded into the installation of an Enterprise CA &#8211; But now to the interesting part what can you do if you&#8217;re member of &#8216;Cert Publishers&#8217;? Stay tuned for the next part in this blog series <a href=\"https:\/\/blog.chrisse.se\/?p=1247\" data-type=\"link\" data-id=\"https:\/\/blog.chrisse.se\/?p=1247\">&#8220;When your Enterprise PKI becomes one of your enemies (Part 6)&#8221;<\/a><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mitigate Authentication Mechanism Assurance (AMA) abuseIn the last blog post series &#8211; When your Enterprise PKI becomes one of your enemies (Part 4) we vent trough how Authentication Mechanism Assurance (AMA) works and how it can be abused together with Public Key Infrastructure (PKI) to compromise an Active Directory forest if it&#8217;s not designed the &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.chrisse.se\/?p=1212\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;When your Enterprise PKI becomes one of your enemies (Part 5)&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[36],"tags":[6,32,39,31],"class_list":["post-1212","post","type-post","status-publish","format-standard","hentry","category-public-key-infrastructure-pki","tag-active-directory","tag-adcs","tag-ama","tag-sitr"],"_links":{"self":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1212","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1212"}],"version-history":[{"count":9,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1212\/revisions"}],"predecessor-version":[{"id":1260,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1212\/revisions\/1260"}],"wp:attachment":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1212"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1212"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1212"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}