docs/metasploit-framework.wiki/ad-certificates/overview.md
Active Directory Certificate Services, also known as AD CS, is an Active Directory tool for letting administrators issue and manage public key certificates that can be used to connect to various services and principals on the domain. It is often used to provide certificates that can be used in place of credentials for logging into a network, or to provide certificates that can be used to sign and verify the authenticity of data.
The main guarantees that AD CS aims to provide are:
Given that AD CS often holds highly sensitive keys and access credentials for a corporate network, this makes it a prime target for attackers.
Active Directory requires the following TCP ports be open on all domain controllers, which heavily overlaps with the ports required for AD CS:
AD CS additionally has the following requirements for Certificate Authorities:
The following ports are optional depending on services used, and tend to apply to Certificate Enrollment Web Services:
If using Active Directory Federation Services (ADFS) for single sign on the following ports are also required:
Microsoft provides a very useful training module that covers the fundamentals of AD CS and as well as examples which cover the management of certificate enrollment, certificate revocation and certificate trusts.
The steps for setting up a vulnerable AD CS server are covered in the [[Installing AD CS|./ldap_esc_vulnerable_cert_finder.md]] section.