Open qtc-de opened 7 months ago
I see that this "only" affects files dealing with the "req" command. Would this also be useful for the "relay" command or is this not applicable due to DCOM hardening?
I see that this "only" affects files dealing with the "req" command. Would this also be useful for the "relay" command or is this not applicable due to DCOM hardening?
It appears that when relaying, it is necessary to use web enrollment for certificate issuance instead of other methods.
It appears that when relaying, it is necessary to use web enrollment for certificate issuance instead of other methods.
That is not correct. See for example the description of ESC11 in this repository. Relay is also possible against RPC if certain configuration is present (that is, IF_ENFORCEENCRYPTICERTREQUEST
is not set).
This is why I was wondering if DCOM could also be used as a relay target. Maybe this also depends on specific configuration settings and would be too much for this pull request, but instead should be a dedicated ESC number on its own. Unfortunately, I don't know much about DCOM and therefore can't evaluate the possibility myself.
It appears that when relaying, it is necessary to use web enrollment for certificate issuance instead of other methods.
That is not correct. See for example the description of ESC11 in this repository. Relay is also possible against RPC if certain configuration is present (that is,
IF_ENFORCEENCRYPTICERTREQUEST
is not set).This is why I was wondering if DCOM could also be used as a relay target. Maybe this also depends on specific configuration settings and would be too much for this pull request, but instead should be a dedicated ESC number on its own. Unfortunately, I don't know much about DCOM and therefore can't evaluate the possibility myself.
Oh, indeed, that's my mistake. I didn't take ESC11 into consideration, only focused on ESC8
In the last few months, we encountered more and more ADCS instances that neither supported web enrollment, nor exposed the CertSvc via plain RPC. The output of
certipy req
looks like this in that case:Still, the ADCS was full functional and native Windows tooling like
mmc
was capable of obtaining certificates. At this point we noticed thatmmc
does not rely on plain RPC, but DCOM for obtaining the certificate. The corresponding DCOM interfaceICertRequestD
is described in this microsoft spec.And indeed adjusting certipy to use DCOM instead of plain RPC allowed us to obtain certificates again. This MR adds this functionality and allows users to specify the
-dcom
switch with thereq
action.The error handling was copied from the RPC related certipy code and may not fit 100% for COM. However, this is something that probably pops up in user issues and can be investigated then :upside_down_face: