Only request the private key for ESC1 ADCS Vuln.

[OreoByte]

Says it's VULN to ESC1 with find but only requests the private key

certipy find -u <user@<domain> -p <pass> -vulnerable -stdout

[!] Got error while trying to get CA configuration for 'CERT-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.

certipy req -u <user>@<domain> -p <pass> -ca <ca-name> -template <template> -target <FQDN> -dc-ip <rhost-ip>

Certipy v4.8.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80092013 - CRYPT_E_REVOCATION_OFFLINE - The revocation function was unable to check revocation because the revocation server was offline.
[*] Request ID is 14
Would you like to save the private key? (y/N) 

[ly4k]

Whenever a certificate request fails, Certipy asks if you’d like to save the private key - because no certificate was issued. However, it might be that a later point, the request goes through, and you can then retrieve the certificate. If you didn’t save the private key, then you’d only have a certificate.

The error you are experiencing is solely server-side. It’s usually an indication that the server needs a reboot, and it can happen quite often in your own lab environment in a VM, if you work with snapshots or pause a VM.