Skip to content

[Bug] Certipy fails to detect Write access to templateΒ #353

New issue
New issue
Open
Open
[Bug] Certipy fails to detect Write access to template#353
Labels
bugSomething isn't working
@GeisericII

Description

@GeisericII
GeisericII
opened on Feb 5, 2026

πŸ”’ Certipy Version

5.0.4

πŸ–₯️ Operating System

Kali 2025

πŸ“₯ Command Used

certipy find -u users@domain -p 'password'  -ldap-scheme ldaps -dc-host dc1.domain.local -stdout -enabled -dc-only

🧯 Error Message / Unexpected Output

-

πŸ” Relevant certipy find Output (abbreviated and redacted)

12
    Template Name                       : Templatename
    Display Name                        : Templatename
    Certificate Authorities             : CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireEmail
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollment
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Client Authentication
                                          Secure Email
                                          Encrypting File System
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 100 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2026-01-17T15:39:18+00:00
    Template Last Modified              : 2026-02-05T11:50:42+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : DOMAIN.LOCAL\Domain Admins
                                          DOMAIN.LOCAL\Enterprise Admins
      Object Control Permissions
        Owner                           : DOMAIN.LOCAL\Administrator
        Full Control Principals         : DOMAIN.LOCAL\Domain Admins
                                          DOMAIN.LOCAL\Enterprise Admins
        Write Owner Principals          : DOMAIN.LOCAL\Domain Admins
                                          DOMAIN.LOCAL\Enterprise Admins
        Write Dacl Principals           : DOMAIN.LOCAL\Domain Admins
                                          DOMAIN.LOCAL\Enterprise Admins
        Write Property Enroll           : DOMAIN.LOCAL\Domain Admins
                                          DOMAIN.LOCAL\Enterprise Admins

βœ… Expected Behavior

I would expect Certipy to properly identify all the groups that have write access to the template.

πŸ“Ž Additional Context

In this scenario the group "CA Managers" has been assigned "Read" and "Write" access over the template:

Image

However, this group is not reported by Certipy. I have noticed that, if the "Enroll" checkbox is ticked, then Certipy will properly identify the ACLs.

Please also note that, attempting to exploit ESC4 works even if Certipy doesn't correctly identify the group.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions