> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # Enroll > The target node may be a Certificate Template or an Enterprise Certification Authority. Applies to BloodHound Enterprise and CE ## Abuse Info The Enroll permission grants enrollment rights on the certificate template. The following additional requirements must be met for a principal to be able to enroll a certificate: 1. The certificate template is published on an enterprise CA 2. The principal has Enroll permission on the enterprise CA 3. The principal meets the issuance requirements and the requirements for subject name and subject alternative name defined by the template Certify (2.0) can be used to enroll a certificate on Windows: ```cmd theme={null} Certify.exe request --ca SERVER\CA-NAME --template TEMPLATE ``` Certipy can be used to enroll a certificate on Linux: ```bash theme={null} certipy req -u USER@CORP.LOCAL -p PWD -ca CA-NAME -target SERVER -template TEMPLATE ``` ## Opsec Considerations When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate. ## Edge Schema Source: [User](/resources/nodes/user), [Group](/resources/nodes/group), [Computer](/resources/nodes/computer)\ Destination: [CertTemplate](/resources/nodes/cert-template), [EnterpriseCA](/resources/nodes/enterprise-ca) Traversable: **No** ## References This edge is related to the following MITRE ATT\&CK tactic and techniques: * [https://attack.mitre.org/techniques/T1649/](https://attack.mitre.org/techniques/T1649/) ### Abuse and Opsec references * [https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified\_Pre-Owned.pdf](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf)