Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ESC4 > ESC1 to CERTSRV_E_UNSUPPORTED_CERT_TYPE #189

Open
breachr opened this issue Dec 15, 2023 · 6 comments
Open

ESC4 > ESC1 to CERTSRV_E_UNSUPPORTED_CERT_TYPE #189

breachr opened this issue Dec 15, 2023 · 6 comments

Comments

@breachr
Copy link

breachr commented Dec 15, 2023
edited
Loading

amazing tool! but somehow i cant get this working. im not sure what the problem is, maybe the space in the CA Name?

Certificate Authorities
  0
    CA Name                             : testa brotstube GmbH
    DNS Name                            : srv-dc01.testa.local
    Certificate Subject                 : CN=testa brotstube GmbH
    Certificate Serial Number           : <REDACTED>
    Certificate Validity Start          : 2020-03-02 08:16:41+00:00
    Certificate Validity End            : 2030-03-02 09:03:05+00:00
    Web Enrollment                      : Enabled
    User Specified SAN                  : Enabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Disabled
    Permissions
      Owner                             : testa.LOCAL\Administrators
      Access Rights
        ManageCertificates              : testa.LOCAL\Administrators
                                          testa.LOCAL\Domänen-Admins
                                          testa.LOCAL\Organisations-Admins
        ManageCa                        : testa.LOCAL\Administrators
                                          testa.LOCAL\Domänen-Admins
                                          testa.LOCAL\Organisations-Admins
        Enroll                          : testa.LOCAL\Authenticated Users
    [!] Vulnerabilities
      ESC6                              : Enrollees can specify SAN and Request Disposition is set to Issue. Does not work after May 2022
      ESC8                              : Web Enrollment is enabled and Request Disposition is set to Issue
      ESC11                             : Encryption is not enforced for ICPR requests and Request Disposition is set to Issue
Certificate Templates
  0
    Template Name                       : Exchange-SHA256-5y
    Display Name                        : Exchange-SHA256-5y
    Certificate Authorities             : testa brotstube GmbH
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : True
    Any Purpose                         : True
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16777216
                                          65536
                                          ExportableKey
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 5 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Object Control Permissions
        Owner                           : testa.LOCAL\Administrator
        Full Control Principals         : testa.LOCAL\Authenticated Users
        Write Owner Principals          : testa.LOCAL\Authenticated Users
        Write Dacl Principals           : testa.LOCAL\Authenticated Users
        Write Property Principals       : testa.LOCAL\Authenticated Users
    [!] Vulnerabilities
      ESC1                              : 'testa.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
      ESC2                              : 'testa.LOCAL\\Authenticated Users' can enroll and template can be used for any purpose
      ESC3                              : 'testa.LOCAL\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set
      ESC4                              : 'testa.LOCAL\\Authenticated Users' has dangerous permissions


certipy req -u [email protected] -p passw0rd -ca 'testa brotstube GmbH' -template Exchange-SHA256-5y -upn [email protected] -debug

Certipy v4.7.0 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'SRV-DC01.testa.LOCAL' at '172.16.10.2'
[+] Resolved 'SRV-DC01.testa.LOCAL' from cache: 172.16.10.1
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:172.16.10.1[\pipe\cert]
[+] Connected to endpoint: ncacn_np:172.16.10.1[\pipe\cert]
[-] Got error while trying to request certificate: code: 0x80094800 - CERTSRV_E_UNSUPPORTED_CERT_TYPE - The requested certificate template is not supported by this CA.
[*] Request ID is 383

find had some problems aswell but got me the templates and CA info in the end:

[*] Trying to get CA configuration for 'testa brotstube GmbH' via CSRA
[!] Got error while trying to get CA configuration for 'testa brotstube GmbH' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'testa brotstube GmbH' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'testa brotstube GmbH'
@at0mman
Copy link

at0mman commented Jan 11, 2024

This is mostly because the certificate template you are using is not enabled. Run the certipy find command again with -enabled to get only enabled certificates.

@breachr
Copy link
Author

breachr commented Jan 11, 2024

thanks for the reply, but it says:

Enabled                             : True

doesnt that mean its enabled?

@h4ckd0tm3
Copy link

Had a similar Issue, for me it has been an error with how certipy changed the certificate.
Try to request the cert manually through the UI if you have access to a Domain joined computer to see what exactly the error is.

If you do not have access, in my case I could not select a CSP so something was wrong there.

What I did was:
Make a copy of the old cert template, run the ESC4 command again (to export the changed template) and then edit the CSP field to the original one. Then we use the command that would be used to restore the backup with our edited file. For me it worked, because a CSP was selected afterwards and I could proceed.

@h4ckd0tm3 h4ckd0tm3 mentioned this issue Jan 24, 2024
Closed
@breachr
Copy link
Author

breachr commented Jan 26, 2024

Thanks alot for the response! Sounds like that could work. I will have access to this system in some months and will re-test it then and report back!

@mkannan22
Copy link

mkannan22 commented Feb 14, 2024
edited
Loading

same issue. Also, tried on the windows side, from a domain joined computer, through certmgr, I receive the following error: An error occurred while enrolling for a certificate. A certificate request could not be created. Url: test.local\test-ca Error: No provider was specified for the store or object (CRYPT_E_NO_PROVIDER). Could have something to do with the CSP, but how can that be specified?

@Fabrizzio53
Copy link

same problem CERTSRV_E_UNSUPPORTED_CERT_TYPE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@h4ckd0tm3 @mkannan22 @breachr @Fabrizzio53 @at0mman