search

ly4k / Certipy

Tool for Active Directory Certificate Services enumeration and abuse
MIT License
2.23k stars 302 forks source link

The requested certificate template is not supported by this CA. #191

Closed helloyw closed 5 months ago

helloyw commented 6 months ago

This error occurred when I was using ESC4,By using the command - vulnerable, it can be determined that the template has an ESC4 vulnerability

certipy req -username test@test.com -password "password@123" -ca DC1-CA -target DC1.test.com -template HorizonV8 -upn administrator@test.com -dns-tcp -ns 172.16.12.8
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094800 - CERTSRV_E_UNSUPPORTED_CERT_TYPE - The requested certificate template is not supported by this CA.
[] Request ID is 129
Would you like to save the private key? (y/N) n
[-] Failed to request certificate
at0mman commented 5 months ago

This is mostly because the certificate template you are using is not enabled. Run the certipy find command again with -enabled to get only enabled certificates.

helloyw commented 5 months ago

This is mostly because the certificate template you are using is not enabled. Run the certipy find command again with -enabled to get only enabled certificates.

But I used this template and successfully applied for a pfx certificate using esc1, but encountered an error like the one in the picture. Is this error also caused by not enabling the template?

kerberos sessionerror: kdc_err_inconsistent_key_purpose(certificate cannot be used for pkinit client authentication) image

helloyw commented 5 months ago

Looking forward to your reply again

h4ckd0tm3 commented 5 months ago

See https://github.com/ly4k/Certipy/issues/189#issuecomment-1908163430

helloyw commented 5 months ago

参见#189(评论)

Do you have detailed usage instructions for reference? Thank you for your reply