Skip to main content
Applies to BloodHound Enterprise and CE This permission allows the principal to approve certificate requests that require manager approval and to modify certain properties (e.g., adding extensions to pending certificates). It does not by itself guarantee a privilege escalation but often removes a final barrier (manager approval) in ADCS abuse paths.

Abuse Info

An attacker can identify ADCS escalation opportunities where manager approval on a template prevents direct abuse, but leverage the Certificate Manager role to approve the pending request. Alternatively, the role can be abused to add an extension to pending certificates (e.g., to insert a group-linked issuance policy in environments using Authentication Mechanism Assurance (AMA)). See Certify wiki - Escalation Techniques - ManageCertificates for details.

Windows

Request a certificate that requires manager approval (example ESC1 scenario):
Note the printed private key and request ID. Approve the certificate:
Download the issued certificate with the embedded private key (Base64 PFX):
Authenticate using the certificate (Rubeus example):

Linux

Approve a pending request:
Retrieve the issued certificate:

Opsec Considerations

Approving requests generates issuance events and stores issued certificates on the CA host. Repeated approvals or unusual patterns (e.g., high-value templates) may be monitored. Added extensions or policy changes may be auditable depending on CA logging configuration.

Edge Schema

Source: User, Group, Computer
Destination: EnterpriseCA
Traversable: Yes

References

This edge is related to the following MITRE ATT&CK tactic and techniques:

Abuse and Opsec references