This CA handler uses the Microsoft Windows Client Certificate Enrollment Protocol. The handler is using code from Certipy which is a kind of pentesting tool for AD-CS.
When using the handler please be aware of the following limitations:
- CA certificates cannot be fetched from CA server and must be loaded via
ca_bundleoption configured inacme_srv.cfg - Revocation operations are not (yet) supported
- Active Directory Certificate Services (AD-CS) must be enabled and configured - of course :-)
- The CA handler is using RPC/DCOM to communicate with the CA server. That means that your CA-server must be reachable via TCP port 445.
- (optional): In case you are installing from RPM or DEB and plan to use kerberos authentication you need an updated impacket modules of version 0.11 or higher as older versions have issues with the handling of utf8-encoded passwords. If you have no clue from where to get these packaages feel free to use the one being part of the a2c github repository
- You need to have a set of credentials with permissions to access the service and enrollment templates
- install the impacket via pip (the module is already part of the docker images)
root@rlh:~# pip install impacket- modify the server configuration (acme_srv/acme_srv.cfg) and add the following parameters
[CAhandler]
handler_file: examples/ca_handler/mswcce_ca_handler.py
host: <hostname>
user: <username>
password: <password>
target_domain: <domain name>
domain_controller: <ip address of domain controller>
ca_name: <ca name>
ca_bundle: <filename>
template: <template name>
timeout: 5
use_kerberos: False
allowed_domainlist: ["example.com", "*.example2.com"]
- host - hostname of the system providing the enrollment service
- host_variable - optional - name of the environment variable containing host address (a configured
hostparameter in acme_srv.cfg takes precedence) - user - username used to access the service
- user_variable - optional - name of the environment variable containing the username used for service access (a configured
userparameter in acme_srv.cfg takes precedence) - password - password
- password_variable - optional - name of the environment variable containing the password used for service access (a configured
passwordparameter in acme_srv.cfg takes precedence) - target_domain - optional - ads domain name
- domain_controller - optional - IP Address of the domain controller / dns server.
- dns_server - optional - IP Address of dns server.
- ca_name - certificate authority name
- ca_bundle - CA certificate chain in pem format delievered along with the client certificate
- template - certificate template used for enrollment
- timeout - optional - enrollment timeout (default: 5)
- use_kerberos - use kerboros for authentication; if set to
Falseauthentication will be done via NTLM. Considering a Microsoft accouncement from October 2023 the usage of Kerberos should be preferred. Nevertheless, for backwards compatibility reasons the default setting isFalse - allowed_domainlist - optional - list of domain-names allowed for enrollment in json format example: ["bar.local$, bar.foo.local]
The handler makes use of the header_info_list feature allowing an acme-client to specify a template name to be used during certificate enrollment. This feature is disabled by default and must be activate in acme_srv.cfg as shown below
[Order]
...
header_info_list: ["HTTP_USER_AGENT"]
The acme-client can then specify the temmplate name as part of its user-agent string.
Example for acme.sh:
docker exec -i acme-sh acme.sh --server http://<acme-srv> --issue -d <fqdn> --standalone --useragent template=foo --debug 3 --output-insecureExample for lego:
docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://<acme-srv> -a --email "[email protected]" --user-agent template=foo -d <fqdn> --http run