The "Tame My Certs" policy module for Active Directory Certificate Services certification authorities

TameMyCerts is a policy module for Microsoft Active Directory Certificate Services (AD CS) enterprise certification authorities that enables security automation for a lot of use cases in the PKI field.

It supports, amongst other functions, inspecting certificate requests for certificate templates that allow the subject information to be specified by the enrollee against a defined policy. If any of the requested identities violates the defined rules, the certificate request automatically gets denied by the certification authority. Requested identities can also be mapped against Active Directory to apply restrictions based on group memberships. Issued certificates can be enriched with either static values, values from mapped Active directory objects, or by values from the original certificate request transferred into other certificate fields.

The module therefore helps you to tame the zoo of your certificates and use cases, and by doing so immensely improves your PKI's security! It has proven itself in countless environments of enterprise-grade scale.

Besides enterprise grade production workloads, TameMyCerts' request inspection and logging capabilites empower the Certiception honeypot toolkit for AD CS to allow spotting adversaries trying to abuse a Microsoft certification authority.

Commercial support, consulting services and maintenance agreements are available on demand. Contact me for details if you are interested.

TameMyCerts is fully compatible with all AD CS' functions and protocols like NDES, CEP, and CES. It can be used in combination with any 3rd party application like Mobile Device Management (MDM) systems, from any vendor.

Getting started

• Download ready-made binary packages from the Releases page here on GitHub.

• Consult the user guide to learn how to install, configure and use the module.

• Consult the changelog if upgrading from a previous version.

Value Proposition

As a PKI operator, it is your responsibility to verify and confirm the enrollee's identity, and ensure he is permitted to request a certificate for the specified identity. As the certificate volume in a typical enterprise is quite high, it is common to automate the task of certificate issuance where possible. Active Directory Certificate Services offers the possibility to identify an enrollee by it's Active Directory identity (meaning the PKI delegates the identification job to AD) and build the certificate content based on this information.

Sadly, there are many cases where this is not possible. In these cases, a certificate request is usually put into pending state so that a certificate manager can review and approve/deny the certificate request. However, this contradicts the goal of automatization. Also, putting such a certificate request into pending state is often not possible due to technical reasons. In these cases, the identification job is delegated entirely to the enrollee, which can lead to serious security issues: Any subject information (e.g. logon identities of administrative accounts in user certificates, or fraudulent web addresses in web server certificates) can be specified which opens a large security gap, waiting to be abused by attackers.

The TameMyCerts policy module addresses, amongst others, the following use cases:

• Certificate issuance must be delegated to a 3rd party service, for example, Mobile Device Management (MDM) systems like Microsoft Endpoint Manager (aka InTune) or VMware AirWatch/Workspace One, Network Device Enrollment Service (NDES) deployments or similar use cases that require the certificate template to be configured to have the enrollee supply the subject information with the certificate signing request in combination with direct certificate issuance. Without the module, there is absolutely no control over the issued certificate content.

• The module can also mitigate the problem that certificates may be inconsistent among platforms (e.g. having differing subject information on a mobile phone managed by MDM than on a PC that uses Autoenrollment because of inconsistent configuration settings on the MDM) by enforcing certificate content.

• It is also capable of ensuring that a user or computer account exists in Active Directory matching the requested certificate, and that it is enabled and member (or not) of specific security groups (e.g. this can prevent issuing certificates for administrative accounts via MDM).

• Modifying the Subject Distinguished Name (DN) or Subject Alternative Name (SAN) of issued certificates based on individual rules containing values from the opriginating certificate request or from Active Directory object attribues (e.g. supplementing Organizational Units, or issuing certificates containing the DisplayName or UPN as identity) via offline and online certificate requests.

• Adding the the newly introduced Security Identifier (SID) certificate extension (szOID_NTDS_CA_SECURITY_EXT with object id 1.3.6.1.4.1.311.25.2 that was introduced with KB5014754) into offline certificate requests, which e.g. allows you to use Microsoft Network Policy Server (NPS) with certificates issued to mobile devices and the like and avoid breaking authentication when "strong" certificate mapping will be enforced by Microsoft on February 11, 2025.

• Technical or legal requirements to allow any kind of Subject Relative Distinguished Name to be enabled for issuance on the certification authority (enabling CRLF_REBUILD_MODIFIED_SUBJECT_ONLY flag on the certification authority). Without the module, there is no control over which exact Subject RDNs are allowed to be issued.

• Certificate templates configured to allow Elliptic Curve Cryptography (ECC) keys. Without the module, it would be possible that certificates get issued that use small RSA keys (e.g. 512 bit or even smaller) even though these would be not allowed in the certificate template configuration, as the Windows Default policy module only validates the key length but not the key algorithm.

• Issuance of certificates with a validity period within exactly defined timeframe (e.g. valid only exactly for one work shift), or having the requirement to have all certificates end by a specific date.

• Preventing Users to request certificates from templates that are intended to be used solely with AutoEnrollment via alternative methods (e.g. MMC.exe).

• TameMyCerts is also the perfect companion for the TameMyCerts REST API for AD CS, the TameMyCerts Certificate Enrollment Proxy for AD CS or the awesome ACME-ADCS-Server project.