# ManageCertificates

## Summary

|                            |                       |
| -------------------------- | --------------------- |
| **FSProtect ACL Alias**    | ManageCertificates    |
| **Affected Object Types**  | Certificate Authority |
| **Exploitation Certainty** | Certain               |

## Description

The `ManageCertificates` permission in Active Directory grants a CA officer control over Certificate Authority (CA) operations such as approving or denying requests, configuring issuance policies, adjusting certificate validity and usage, managing the CA database, publishing CRLs, and configuring AIA/CDP locations.

While this permission allows visibility and management of certificate requests, the ability to re-issue previously failed certificate requests requires both `ManageCertificates` and `ManageCA` privileges.

## Identification

### PowerShell

**1.** Find-ManageCertificates function

```powershell
function Find-ManageCertificates {
    [CmdletBinding()]
    param( [string]  $OutputPath   = "ManageCertificates.csv", [string[]]$RightsToMatch = @('ManageCertificates'),[string]  $Target       = $null )
    Import-Module PSPKI -ErrorAction Stop
    Import-Module ActiveDirectory -ErrorAction Stop
    $Allow   = [System.Security.AccessControl.AccessControlType]::Allow
    $results = [System.Collections.Generic.List[object]]::new()
    function Test-HasWantedRight {
        param($ace, [string[]]$wanted)
        $parts = ($ace.Rights.ToString() -split ',') | ForEach-Object { $_.Trim() } | Where-Object { $_ }
        return [bool]($parts | Where-Object { $wanted -contains $_ })
    }
    $publishedCAs = $null
    try {
        if ($Target) {
            Write-Host "Using specified CA target: $Target"
            $publishedCAs = Get-CertificationAuthority -ComputerName $Target -ErrorAction Stop
        }
        else {
            Write-Host "Enumerating all published Enterprise CAs from AD..."
            $publishedCAs = Get-CertificationAuthority -ErrorAction Stop
        }
    } catch {
        Write-Error "Failed to enumerate CAs: $($_.Exception.Message)"
        return
    }
    if (-not $publishedCAs) {
        Write-Host "No Certification Authorities found."
        return
    }
    foreach ($ca in $publishedCAs) {
        $acl = $null
        try {
            $acl = $ca | Get-CertificationAuthorityAcl -ErrorAction Stop
        } catch {
            Write-Warning "Failed to read CA ACL on '$($ca.ComputerName)' ('$($ca.DisplayName)'): $($_.Exception.Message)"
            continue
        }
        if (-not $acl -or -not $acl.Access) { continue }
        foreach ($ace in $acl.Access) {
            if ($ace.AccessControlType -ne $Allow) { continue }
            if ($ace.IsInherited) { continue }
            if (Test-HasWantedRight -ace $ace -wanted $RightsToMatch) {
                $results.Add([pscustomobject]@{
                    'CA Host'  = $ca.ComputerName
                    'CA Name'  = $ca.DisplayName
                    'Identity' = $ace.IdentityReference.ToString()
                    'Rights'   = $ace.Rights.ToString()
                })
            }
        }
    }
    if ($results.Count -gt 0) {
        try {
            $results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
            Write-Host "Results exported to '$OutputPath'"
        } catch { Write-Warning "Export failed: $($_.Exception.Message)"}
    } else { Write-Host "No matching ACEs found for rights: $($RightsToMatch -join ', ')."}}
```

**2.** Scan all CAs in the domain

```powershell
Find-ManageCertificates 
```

**3.** Scan a specific CA

```powershell
Find-ManageCertificates -Target 'DC.Forestall.labs'
```

### Certification Authority console

**1.** Open `Certification Authority (certsrv)` on the Certification Authority server.

**2.** Right-click the CA server name.

**3.** Select Properties from the context menu.

**4.** In the Properties window, go to the Security tab.

**5.** In the Security settings, select the Access Control Entry (ACE) for the user or group you want to inspect.

**6.** In the permissions list, locate and check the `ManageCertificates` permission.

**7.** Click OK to save and close.

![certsrv](/files/YnHtTbRVdUbiI1LmhEOR)

## Exploitation

This relationship by itself does not allow privilege escalation or impersonation. It may combine with other rights to create escalation paths.

For more details on abuse when ManageCA is also available, see the [ManageCA](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/ManageCA/README.md) edge documentation.

## Mitigation

**1.** Open `Certification Authority (certsrv)` on the Certification Authority server.

**2.** Right-click the CA server name.

**3.** Select Properties from the context menu.

**4.** In the Properties window, go to the Security tab.

**5.** In the Security settings, select the ACE for the user or group whose permissions you want to change.

**6.** Remove the `ManageCertificates` permission from the selected ACE.

**7.** Click OK to save and close.

![certsrv](/files/YnHtTbRVdUbiI1LmhEOR)

## Detection

Changes to Access Control Entries on Active Directory objects update the `ntSecurityDescriptor` attribute. These modifications can be detected with Event IDs 5136 and 4662.

| Event ID | Description                                                                   | Fields/Attributes              | References                                                                                                             |
| -------- | ----------------------------------------------------------------------------- | ------------------------------ | ---------------------------------------------------------------------------------------------------------------------- |
| 5136     | A directory service object was modified.                                      | ntSecurityDescriptor           | <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136>                             |
| 4662     | An operation was performed on an object.                                      | AccessList, AccessMask         | <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662>                             |
| 4886     | Certificate Services received a certificate request.                          | CertificateTemplate, Requester | <https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319076(v=ws.11)> |
| 4887     | Certificate Services approved a certificate request and issued a certificate. | CertificateTemplate, Requester | <https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319076(v=ws.11)> |

## References

* [CyberArk Docs – AD Certificates](https://docs.cyberark.com/identity/latest/en/content/coreservices/connector/ad-certificates.htm)
* [Microsoft Learn – Configure Server Certificate Autoenrollment](https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment)
* [The Hacker Recipes – ADCS Access Controls](https://www.thehacker.recipes/ad/movement/adcs/access-controls)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/ad/managecertificates.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.