|
Note
|
Please download the binary package from the releases page. |
|
Note
|
Please consult the changelog if upgrading from a previous version. |
TameMyCerts is a policy module for Microsoft Active Directory Certificate Services (AD CS) enterprise certification authorities, written in C#, that enables security automation for a lot of use cases in the PKI field.
The module supports, amongst other functions, checking certificate requests for certificate templates that allow the subject information to be specified by the enrollee against a defined policy. If any of the requested Subject string or Subject Alternative Name (SAN) violates the defined rules, the certificate request automatically gets denied by the certification authority. This concept is also known as applying "name constraints" to certificates. The module therefore helps you to tame your certs!
As a PKI operator, it is your responsibility to verify and confirm the enrollee’s identity, and ensure he is permitted to request a certificate for the specified identity. As the certificate volume in a typical enterprise is quite high, it is common to automate the task of certificate issuance where possible. Active Directory Certificate Services offers the possibility to identify an enrollee by it’s Active Directory identity (meaning the PKI delegates the identification job to AD) and build the certificate content based on this information.
Sadly, there are many cases where this is not possible. In these cases, a certificate request is usually put into pending state so that a certificate manager can review and approve/deny the certificate request. However, this contradicts the goal of automatization. Also, putting such a certificate request into pending state is often not possible due to technical reasons. In these cases, the identification job is delegated entirely to the enrollee, which can lead to serious security issues: Any subject information (e.g. logon identities of administrative accounts in user certificates, or fraudulent web addresses in web server certificates) can be specified which opens a large security gap, waiting to be abused by attackers.
The TameMyCerts policy module addresses, amongst others, the following use cases:
-
Certificate issuance must be delegated to a 3rd party service, for example, Mobile Device Management (MDM) systems like Microsoft Endpoint Manager (aka InTune) or VMware AirWatch/Workspace One, Network Device Enrollment Service (NDES) deployments or similar use cases that require the certificate template to be configured to have the enrollee supply the subject information with the certificate signing request in combination with direct certificate issuance. Without the module, there is absolutely no control over the issued certificate content.
-
The module can also mitigate the problem that certificates may be inconsistent among platforms (e.g. having differing subject information on a mobile phone managed by MDM than on a PC that uses Autoenrollment because of inconsistent configuration settings on the MDM) by enforcing certificate content.
-
It is also capable of ensuring that a user or computer account exists in Active Directory matching the requested certificate, and that it is enabled and member (or not) of specific security groups (e.g. this can prevent issuing certificates for administrative accounts via MDM).
-
-
Building the Subject Distinguished Name (DN) from Active Directory object attribues (e.g. supplementing Organizational Units, or issuing certificates containing the DisplayName or UPN as identity) via offline and online certificate requests.
-
Adding the the newly introduced Security Identifier (szOID_NTDS_CA_SECURITY_EXT with object id 1.3.6.1.4.1.311.25.2 that was introduced with KB5014754) extension into offline certificate requests, which e.g. allows you to use Microsoft Network Policy Server (NPS) with certificates issued to mobile devices and the like and avoid breaking authentication when "strong" certificate mapping will be enforced by Microsoft on November 14, 2023.
-
Technical or legal requirements to allow any kind of subject RDN to be enabled for issuance on the certification authority (enabling CRLF_REBUILD_MODIFIED_SUBJECT_ONLY flag on the certification authority). Without the module, there is no control over which exact subject RDNs are allowed to be issued.
-
Certificate templates configured to allow Elliptic Curve Cryptography (ECC) keys. Without the module, it would be possible that certificates get issued that use small RSA keys (e.g. 512 bit or even smaller) even though these would be not allowed in the certificate template configuration, as the Windows Default policy module only validates the key length but not the key algorithm.
-
Issuance of certificates with a validity period within exactly defined timeframe (e.g. valid only exactly for one work shift), or having the requirement to have all certificates end by a specific date.
-
Preventing Users to request certificates from templates that are intended to be used solely with AutoEnrollment via alternative methods (e.g. MMC.exe).
-
It is also the perfect companion for the AdcsToRest REST API for AD CS.
Consult the User Guide to install and configure the module.
If you just want to install and use TameMyCerts, there is no need for building from source. Please download the binary package from the releases page in this case.
If you want to build the module from source, call the supplied build scripts from the Visual Studio Developer command prompt:
-
make_debug.cmd for a debug build (does not increment version number).
-
make_release.cmd for a release build (auto-increments version number).