ManageCA

Summary

Description

The ManageCA permission in a Certificate Authority (CA) environment allows an account to control CA operations. This includes tasks such as issuing, revoking, and renewing certificates, managing certificate templates, and updating CA configuration settings. It is essential for CA administrators to maintain the integrity of the Public Key Infrastructure (PKI) by ensuring that certificates are correctly managed and secure.

If the ManageCA permission is misconfigured, it can introduce significant security risks. An attacker with this permission can issue fraudulent certificates, revoke legitimate ones, or modify CA settings to bypass security controls. These actions could undermine trust in the CA, enabling the attacker to impersonate trusted entities, intercept secure communications, or gain unauthorized access to network resources.

Identification

PowerShell

Active Directory & PSPKI Modules

Using the ActiveDirectory and PSPKI PowerShell modules, you can identify ManageCA permissions on Certification Authorities in the domain.

Function: Find-ManageCA

function Find-ManageCA {
    [CmdletBinding()]
    param ( [string]$ComputerDN = $null,[string]$OutputPath = "ManageCA.csv")
    foreach ($module in @("ActiveDirectory", "PSPKI")) {
        if (-not (Get-Module -Name $module)) {
            Write-Host "Attempting to load $module module..."
            try {
                Import-Module $module -ErrorAction Stop
                Write-Host "$module module loaded successfully."
            }
            catch {
                Write-Error "Failed to load $module module. Please ensure it is installed."
                return
            }
        }
    }
    # Access Control Type (Allow)
    $AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow
    $results = @()
    try {
        if ($ComputerDN) {
            Write-Host "Scanning specific Certification Authority: $ComputerDN"
            $ComputerName = (Get-ADComputer -Identity $ComputerDN -Properties dNSHostName |
                             Select-Object -ExpandProperty dNSHostName)
            $targetComputers = @($ComputerName)
        }
        else {
            Write-Host "Scanning all Certification Authorities in the domain..."
            $targetComputers = Get-ADComputer -Filter * -Properties dNSHostName |
                               Select-Object -ExpandProperty dNSHostName
        }
        foreach ($ComputerName in $targetComputers) {
            try {
                Get-CertificationAuthority -ComputerName $ComputerName |
                Get-CertificationAuthorityAcl |
                Select-Object -ExpandProperty Access |
                Where-Object {
                    $_.AccessControlType -eq $AccessControlType -and
                    $_.Rights -like "*ManageCA*" -and
                    $_.IsInherited -eq $false
                } |
                ForEach-Object {
                    $results += [PSCustomObject]@{
                        "Vulnerable CA"  = $ComputerName
                        "Internal Threat" = $_.IdentityReference
                    }
                }
            }
            catch {Write-Warning "Error scanning CA on $ComputerName : $($_.Exception.Message)" }
        }
    }
    catch {
        Write-Error "Unexpected error during CA scan: $($_.Exception.Message)"
        return
    }
    if ($results.Count -gt 0) {
        try {
            $results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
            Write-Host "Results exported successfully to '$OutputPath'"
        }
        catch { Write-Error "Failed to export results to CSV: $($_.Exception.Message)" }
    }
    else { Write-Host "No ManageCA permissions found." }
}

Usage Examples:

1. Scan all Certification Authorities in the domain

2. Scan a specific CA server by Distinguished Name

3. Save results to a custom file path

Certification Authority Console (GUI)

1. Open the Certification Authority management console (certsrv) on your CA server.

2. Right-click the CA server name and choose Properties.

3. Go to the Security tab.

4. Locate the Access Control Entry (ACE) for the user or group you want to review.

5. In the permissions list, check whether the ManageCA permission is set.

6. Click OK to save and close.

Exploitation

The ManageCA permission provides an attacker with full administrative control over the Certification Authority (CA).

Windows

Add our user as officer

Example:

Enable by default ESC01 vulnerable SubCA template

Example:

Request a certificate from SubCA

Example:

Issue the failed request

Example:

Retrieve the issued certificate

Example:

Retrieve Domain Admin NTLM hash

Example:

Linux

Add our user as officer

Example:

Enable by default ESC01 vulnerable SubCA template

Example:

Request a certificate from SubCA

Example:

Issue the failed request

Example:

Retrieve the issued certificate

Example:

Retrieve Domain Admin NTLM hash

Example:

Mitigation

To reduce the risk associated with ManageCA, follow the steps below:

1. Open the Certification Authority management console (certsrv) on the CA server.

2. Right-click the CA server name and choose Properties.

3. In the Properties window, go to the Security tab.

4. In the Security settings, locate and select the Access Control Entry (ACE) for the user or group you want to configure.

5. In the permissions list, remove the ManageCA permission if it is not required.

6. Click OK to save the changes.

Detection

Adding new Access Control Entries (ACEs) to Active Directory objects changes the object's ntSecurityDescriptor attribute. These changes can be detected by monitoring relevant event IDs such as 5136 and 4662.

References

• AD Certificates - CyberArk Docs

• Configure Server Certificate Autoenrollment - Microsoft Docs

• The Hacker Recipes – ADCS Access Controls