ESC6 fails with "CERTSRV_E_SUBJECT_EMAIL_REQUIRED"

[jsdhasfedssad]

Hi,

Using Certipy 4.0.0 I attempt to execute the ESC6 attack but this fails with "CERTSRV_E_SUBJECT_EMAIL_REQUIRED". As far as I know this error is related to the certificate template not having "Supply in the request" enabled since not having that requires an e-mail address by default. However, since the CA has been configured with the flag "EDITF_ATTRIBUTESUBJECTALTNAME2", not having "Supply in the request" should not matter. Is that correct?

I have not configured e-mail addresses for my test accounts and that is also not required when creating them but this attack has worked before. As soon as I add an e-mail address to the account "domainuser1" using ADUC the attack works. Note that the DC and ADCS server was not patched after May 2022 at the time of this test.

Below you can see the command I use and the error:

Below you can see that the CA is vulnerable to ESC6:

Below you see the default configuration for the template ESC6 that I use in this test:

Also, what is the error I can expect when I target patched servers?

[ly4k]

Hello @jsdhasfedssad I think I tried to add email to the subject but it didn't work, but since we're controlling the subject, I'll try to see if this is a mistake on my end during testing. Will keep you notified

[jsdhasfedssad]

Hi. Any update on this? I now also get the same issue when performing the ESC1 attack. Thanks!