> ## Documentation Index
> Fetch the complete documentation index at: https://specterops-bp-2735-release-notes.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# CertTemplate

<img noZoom src="https://mintcdn.com/specterops-bp-2735-release-notes/2djt2Sp9UeFPjBFr/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=2djt2Sp9UeFPjBFr&q=85&s=a791748158fde5ff3b3b82b51497ab39" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Representation

The CertTemplate node represents the Active Directory LDAP objects of the *pKICertificateTemplate* class located in the *Certificate Templates* container in the Configuration Naming Context.

## Node properties

The node supports the properties of the table. Three types of property names will be used, depending on where the property is found:

* **Entity Panel:** Name shown in the BloodHound UI.
* **Database:** Name stored in the BloodHound database and returned by the BloodHound API. This is to be used when running Cypher queries.
* **Directory:** Name collected from the directory the node is stored in, for example, the LDAP name for an Active Directory property.

|                                             |                                |                                                                          |                                                                                                                                                                                                                                                                                                                           |
| ------------------------------------------- | ------------------------------ | ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Entity Panel**                            | **Database**                   | **Directory**                                                            | **Description**                                                                                                                                                                                                                                                                                                           |
| Display Name                                | `displayname`                  | `displayName`                                                            | The display name of the object.                                                                                                                                                                                                                                                                                           |
| Object ID                                   | `objectid`                     | `objectGUID`                                                             | The object's unique identifier in the directory.                                                                                                                                                                                                                                                                          |
| ACL Inheritance Denied                      | `isaclprotected`               | `nTSecurityDescriptor`                                                   | Whether inherited permissions (ACEs) from containers are blocked on this object.                                                                                                                                                                                                                                          |
| Application Policies Required               | `applicationpolicies`          | `msPKI-RA-Application-Policies`                                          | The required RA application policy EKU in the counter signatures of certificate requests.                                                                                                                                                                                                                                 |
| Application Policy Extensions               | `certificateapplicationpolicy` | `msPKI-Certificate-Application-Policy`                                   | List of EKUs that might go into issued certificates (see Effective EKUs).                                                                                                                                                                                                                                                 |
| Authentication Enabled                      | `authenticationenabled`        | -                                                                        | Whether the certificate can be used for authentication. See this blog post for more details on how it is calculated: [https://specterops.io/blog/2024/01/24/adcs-attack-paths-in-bloodhound-part-1/](https://specterops.io/blog/2024/01/24/adcs-attack-paths-in-bloodhound-part-1/)                                       |
| Authorized Signatures Required              | `authorizedsignatures`         | `msPKI-RA-Signature`                                                     | Specifies the number of enrollment registration authority signatures that are required in an enrollment request.                                                                                                                                                                                                          |
| Certificate Name Flags                      | `certificatenameflag`          | `msPKI-Certificate-Name-Flag`                                            | Contains the flags related to constructing the Subject and Subject Alternative Name in an issued certificate.                                                                                                                                                                                                             |
| Created                                     | `whencreated`                  | `whenCreated`                                                            | When the object was created in the directory.                                                                                                                                                                                                                                                                             |
| Distinguished Name                          | `distinguishedname`            | `distinguishedName`                                                      | The name of the object and its location in AD.                                                                                                                                                                                                                                                                            |
| Domain FQDN                                 | `domain`                       | -                                                                        | The fully qualified domain name (FQDN) of the domain the object belongs to.                                                                                                                                                                                                                                               |
| Domain SID                                  | `domainsid`                    | -                                                                        | The SID of the domain the object belongs to.                                                                                                                                                                                                                                                                              |
| Effective EKUs                              | `effectiveekus`                | -                                                                        | The list EKUs that will be in the Enhanced Key Usage (2.5.29.37) property of issued certificates. <br /><br />It will contain the EKUs of `msPKI-Certificate-Application-Policy` by default. It will contain the EKUs of `pKIExtendedKeyUsage` instead if the schema version is 1 and `pKIExtendedKeyUsage` is not empty. |
| Enhanced Key Usage                          | `ekus`                         | `pKIExtendedKeyUsage`                                                    | List of EKUs that might go into issued certificates (see Effective EKUs).                                                                                                                                                                                                                                                 |
| Enrollee Supplies Subject                   | `enrolleesuppliessubject`      | `msPKI-Certificate-Name-Flag` (`CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`)      | Whether the certificate template requires the enrollee to supply the Subject Alternative Name data.                                                                                                                                                                                                                       |
| Enrollment Flags                            | `enrollmentflag`               | `msPKI-Enrollment-Flag`                                                  | Contains enrollment-related flags.                                                                                                                                                                                                                                                                                        |
| Issuance Policies Required                  | `issuancepolicies`             | `msPKI-RA-Policies`                                                      | Contains the list of required policy OIDs from those who sign enrollment requests.                                                                                                                                                                                                                                        |
| Issuance Policy Extensions                  | `certificatepolicy`            | `msPKI-Certificate-Policy`                                               | List of issuance polices that are included in issued certificates.                                                                                                                                                                                                                                                        |
| Last Collected by BloodHound                | `lastcollected`                | -                                                                        | The most recent time the object was collected and ingested in BloodHound.                                                                                                                                                                                                                                                 |
| Last Seen by BloodHound                     | `lastseen`                     | -                                                                        | The most recent time the object or a reference to it was collected and ingested in BloodHound.                                                                                                                                                                                                                            |
| No Security Extension                       | `nosecurityextension`          | `msPKI-Certificate-Name-Flag` (`CT_FLAG_NO_SECURITY_EXTENSION`)          | Whether issued certificates will include a certificate extension (SID of the enrollee), which may be required for authentication.                                                                                                                                                                                         |
| OID                                         | `oid`                          | `msPKI-Cert-Template-OID`                                                | Specifies the object identifier of the certificate template.                                                                                                                                                                                                                                                              |
| Renewal Period                              | `renewalperiod`                | `pKIOverlapPeriod`                                                       | The period by which issued certificates should be renewed before they expire.                                                                                                                                                                                                                                             |
| Requires Manager Approval                   | `requiresmanagerapproval`      | `msPKI-Enrollment-Flag` (`CT_FLAG_PEND_ALL_REQUESTS`)                    | Whether certificate requests will require manager approval.                                                                                                                                                                                                                                                               |
| Schema Version                              | `schemaversion`                | `ms-PKI-Template-Schema-Version`                                         | The schema version of the certificate template.                                                                                                                                                                                                                                                                           |
| Subject Alternative Name Require DNS        | `subjectaltrequiredns`         | `msPKI-Certificate-Name-Flag` (`CT_FLAG_SUBJECT_ALT_REQUIRE_DNS`)        | Whether the certificate template requires the DNS name of the subject for the Subject Alternative Name.                                                                                                                                                                                                                   |
| Subject Alternative Name Require Domain DNS | `subjectaltrequiredomaindns`   | `msPKI-Certificate-Name-Flag` (`CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS`) | Whether the certificate template requires the domain DNS name of the subject for the Subject Alternative Name.                                                                                                                                                                                                            |
| Subject Alternative Name Require Email      | `subjectaltrequireemail`       | `msPKI-Certificate-Name-Flag` (`CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL`)      | Whether the certificate template requires the email of the subject for the Subject Alternative Name.                                                                                                                                                                                                                      |
| Subject Alternative Name Require SPN        | `subjectaltrequirespn`         | `msPKI-Certificate-Name-Flag` (`CT_FLAG_SUBJECT_ALT_REQUIRE_SPN`)        | Whether the certificate template requires the UPN (yes, not the SPN) of the subject for the Subject Alternative Name.                                                                                                                                                                                                     |
| Subject Alternative Name Require UPN        | `subjectaltrequireupn`         | `msPKI-Certificate-Name-Flag` (`CT_FLAG_SUBJECT_ALT_REQUIRE_UPN`)        | Whether the certificate template requires the UPN of the subject for the Subject Alternative Name.                                                                                                                                                                                                                        |
| Subject Require Email                       | `subjectrequireemail`          | `msPKI-Certificate-Name-Flag` (`CT_FLAG_SUBJECT_REQUIRE_EMAIL`)          | Whether the certificate template requires the email of the subject.                                                                                                                                                                                                                                                       |
| Validity Period                             | `validityperiod`               | `pKIExpirationPeriod`                                                    | The validity period for issued certificates.                                                                                                                                                                                                                                                                              |
| -                                           | `name`                         | `name` + domain name                                                     | Name of the object + @ + the name of the domain.                                                                                                                                                                                                                                                                          |

## Edges

The following edge types may be linked to/from this node. See the [edges documentation](/resources/edges) for more information on the edge types.

### Incoming edges

|                                                                         |                           |
| ----------------------------------------------------------------------- | ------------------------- |
| **Edge type**                                                           | **Entity panel category** |
| [AllExtendedRights](/resources/edges/all-extended-rights)               | Inbound Object Control    |
| [DelegatedEnrollmentAgent](/resources/edges/delegated-enrollment-agent) | -                         |
| [Enroll](/resources/edges/enroll)                                       | Inbound Object Control    |
| [EnrollOnBehalfOf](/resources/edges/enroll-on-behalf-of)                | -                         |
| [GenericAll](/resources/edges/generic-all)                              | Inbound Object Control    |
| [GenericWrite](/resources/edges/generic-write)                          | Inbound Object Control    |
| [Owns](/resources/edges/owns)                                           | Inbound Object Control    |
| [WriteDacl](/resources/edges/write-dacl)                                | Inbound Object Control    |
| [WriteOwner](/resources/edges/write-owner)                              | Inbound Object Control    |
| [WritePKIEnrollmentFlag](/resources/edges/write-pki-enrollment-flag)    | Inbound Object Control    |
| [WritePKINameFlag](/resources/edges/write-pki-name-flag)                | Inbound Object Control    |

### Outgoing edges

|                                                          |                           |
| -------------------------------------------------------- | ------------------------- |
| **Edge type**                                            | **Entity panel category** |
| [EnrollOnBehalfOf](/resources/edges/enroll-on-behalf-of) | -                         |
| [ExtendedByPolicy](/resources/edges/extended-by-policy)  | -                         |
| [PublishedTo](/resources/edges/published-to)             | Published To CAs          |

## References

* [https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/designing-and-implementing-a-pki-part-i-design-and-planning/ba-p/396953](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/designing-and-implementing-a-pki-part-i-design-and-planning/ba-p/396953) 
* [https://learn.microsoft.com/en-us/windows/win32/adschema/c-pkicertificatetemplate](https://learn.microsoft.com/en-us/windows/win32/adschema/c-pkicertificatetemplate) 
