Requesting, signing and pairing internal certificates without Web Enrollment portal
CA (Certificate Authority) Web Enrollment, what’s the risk and why you should remove IIS from CA
The web enrollment portal, if not properly secured and implemented, can create vulnerabilities for a certificate authority (CA) due to the following reasons:
- Unauthorized Access: If the web enrollment portal does not have sufficient authentication and access controls, it can be vulnerable to unauthorized access. Attackers may exploit this vulnerability to gain access to the CA system, manipulate certificate requests, issue fraudulent certificates, or tamper with the CA’s operations.
- Malicious Certificate Requests: An insecure web enrollment portal can be exploited to submit malicious or fraudulent certificate requests. Attackers can craft certificate requests with malicious intent, such as requesting certificates for unauthorized purposes or impersonating legitimate entities. These malicious certificates can be used for activities like phishing, man-in-the-middle attacks, or unauthorized access to secure systems.
- Injection Attacks: Web enrollment portals that are not properly protected against injection attacks, such as SQL injection or cross-site scripting (XSS), can be compromised. Attackers can exploit these vulnerabilities to execute arbitrary code, tamper with data, or gain unauthorized access to the CA’s infrastructure.
- Denial of Service (DoS) Attacks: If the web enrollment portal is not resilient to DoS attacks, it can be overwhelmed with a high volume of malicious requests, rendering it inaccessible to legitimate users. This can disrupt the CA’s operations, prevent certificate issuance, and impact the availability of secure services relying on those certificates.
- Information Disclosure: Weak security controls on the web enrollment portal can lead to the disclosure of sensitive information. Attackers may exploit vulnerabilities to gain access to private keys, certificate signing requests (CSRs), or other confidential data, compromising the security and integrity of the CA’s operations.
- It becomes another website that you have to secure, patch and manage, review and control access for, create and renew certificates, ext. If your root CA is offline, then you need to reverse proxy from the web enrollment site to the subordinate CA; something has to present and secure that connection. If you wish to restrict the web enrollment service to specific groups you will need to manage and update authorization rules.
Overall web enrollment became a nightmare of its own and in many cases it is not worth doing all that work for the capability it provides to issue CSRs.
There are over a dozen critical vulnerabilities presented by the Web Enrollment service and new ones continuously being uncovered. I just don’t think it is worth the risk having it around for the amount of work needed to hoard and secure it.
Some of the critical Web Enrollment vulnerabilities and attack surface capabilities:
– Template Enrollment Attacks ESC1 – privileged user impersonation
-Machine and Domain Persistence and Domain Escalation ESC7
-User Credentials Theft by theft of user context through web enrollment
-NTLM relay through IIS Service used by Web Enrollment
– CVE-2022–26923 / PetitPotam CA Template abuse and Domain Takeover
You can live happily ever after without CA web enrollment. In this article I show you how you can:
· Make a CSR (Certificate signing request) using a PowerShell script
· Sign a pending certificate with Certreq utility and submitting to the CA chain
· Move the signed certificate back to pair the CSR with the signed certificate to create a pair and a matching key
· Export the certificate with the private key, check the cert for validity, CA chain and SANs
· Check and export certificate templates to match the needed template to your request
We can use the Certreq.exe command-line tool to submit a certificate signing request (CSR) to a Windows Certificate Authority (CA) and then sign it. I will show you how to do it all with one handy script after your Web Enrollment server has been remove and IIS role with it.
- Log in to the server where you will be making the request, easiest would be the computer where the certificate will be installed.
- Copy the script file required to make the requests. You may use the PowerShell Gallery script.
- Launch PowerShell as administrator, here are examples of requests that can be made using PowerShell
If it is the first time you are running a script on this system run command
set-executionpolicy unrestricted
You will want to add the certificates snap-in in order to observe what certificates you have as well as the one you are going to request, sign and install.
Add the local computer account certificate store
Select Local Computer
Keep the Certificates MMC open for now.
Copy the PowerShell script from PowerShell Gallery into PowerShell ISE window and save the script as Request-Certificate.ps1
a simple certificate, but there are more advanced options that I will cover.
Possible command examples for the script
EXAMPLE 1
This command requests a certificate form the enterprise CA in the local Active Directory.
The user will be asked for the value for the CN of the certificate.
C:\PS> .\Request-Certificate.ps1 -CAName “testsrv.test.ch\Test CA”
EXAMPLE 2
This command requests a certificate form the CA testsrv.test.ch\Test CA with the certificate template “Webservercert” and a CN of webserver.test.ch
The user will be asked for the value for the CN of the certificate.
C:\PS> .\Request-Certificate.ps1 -CN “webserver.test.ch” -CAName “testsrv.test.ch\Test CA” -TemplateName “Webservercert”
EXAMPLE 3
This command requests a certificate with a CN of webserver.test.ch and subject alternative names (SANs)
The SANs of the certificate are the DNS names webserver.test.ch and srvweb.test.local.
C:\PS> .\Request-Certificate.ps1 -CN “webserver.test.ch” -SAN “DNS=webserver.test.ch,DNS=srvweb.test.local”
With this example you will get a prompt for a certificate server
You will get feedback that the certificate has been issued and installed.
You can see the certificate installed on the local machine’s personal store
EXAMPLE 4
C:\PS> .\Request-Certificate.ps1 -CN “webserver.test.ch” -SAN “DNS=webserver.test.ch,DNS=srvweb.test.local” -CAName “testsrv.test.ch\Test CA” -TemplateName “LDAPOverSSL”
This command requests a certificate with a CN of webserver.test.ch and subject alternative names (SANs)
The CA used is testsrv.test.ch\Test CA and the Template name is LDAPOverSSL
The SANs of the certificate are the DNS names webserver.test.ch and srvweb.test.local.
