> ## Documentation Index
> Fetch the complete documentation index at: https://specterops-bp-2735-release-notes.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# EnterpriseCA

<img noZoom src="https://mintcdn.com/specterops-bp-2735-release-notes/2djt2Sp9UeFPjBFr/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=2djt2Sp9UeFPjBFr&q=85&s=a791748158fde5ff3b3b82b51497ab39" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Representation

The EnterpriseCA node represents the Active Directory LDAP objects of the *pKIEnrollmentService* class located in the *Enrollment Services* container in the Configuration Naming Context.

## Node properties

The node supports the properties of the table. Three types of property names will be used, depending on where the property is found:

* **Entity Panel:** Name shown in the BloodHound UI.
* **Database:** Name stored in the BloodHound database and returned by the BloodHound API. This is to be used when running Cypher queries.
* **Directory:** Name collected from the directory the node is stored in, for example, the LDAP name for an Active Directory property.

|                                            |                                        |                                     |                                                                                                                                                                                                         |
| ------------------------------------------ | -------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Entity Panel**                           | **Database**                           | **Directory**                       | **Description**                                                                                                                                                                                         |
| Object ID                                  | `objectid`                             | `objectGUID`                        | The object's unique identifier in the directory.                                                                                                                                                        |
| ACL Inheritance Denied                     | `isaclprotected`                       | `nTSecurityDescriptor`              | Whether inherited permissions (ACEs) from containers are blocked on this object.                                                                                                                        |
| Basic Constraint Path Length               | `basicconstraintpathlength`            | `caCertificate` (`X509Certificate`) | The maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certificate chain.                                                                          |
| CA Name                                    | `caname`                               | `name`                              | Name of the CA in the directory.                                                                                                                                                                        |
| CA Security Collected                      | `casecuritycollected`                  | -                                   | Whether the Security ACL stored in registry of the CA host has been collected.                                                                                                                          |
| Certificate Chain                          | `certchain`                            | `caCertificate` (`X509Certificate`) | A hierarchical list of certificates starting with the certificate for this CA and ending with a self-signed root certificate. Each certificate is signed by the private key of the next CA certificate. |
| Certificate Name                           | `certname`                             | `caCertificate` (`X509Certificate`) | The name of the CA's certificate.                                                                                                                                                                       |
| Certificate Thumbprint                     | `certthumbprint`                       | `caCertificate` (`X509Certificate`) | The thumbprint (unique identifier) of the CA's certificate.                                                                                                                                             |
| Created                                    | `whencreated`                          | `whenCreated`                       | When the object was created in the directory.                                                                                                                                                           |
| Distinguished Name                         | `distinguishedname`                    | `distinguishedName`                 | The name of the object and its location in AD.                                                                                                                                                          |
| DNS Hostname                               | `dnshostname`                          | `dNSHostName`                       | The DNS host name of the CA host.                                                                                                                                                                       |
| Domain FQDN                                | `domain`                               | -                                   | The fully qualified domain name (FQDN) of the domain the object belongs to.                                                                                                                             |
| Domain SID                                 | `domainsid`                            | -                                   | The SID of the domain the object belongs to.                                                                                                                                                            |
| Enrollment Agent Restrictions Collected    | `enrollmentagentrestrictionscollected` | -                                   | Whether the EnrollmentAgentRights ACL stored in registry of the CA host has been collected.                                                                                                             |
| Flags                                      | `flags`                                | `flags`                             | Various flags controlling features of the enrollment service.                                                                                                                                           |
| Has Basic Constraints                      | `hasbasicconstraints`                  | `caCertificate` (`X509Certificate`) | Whether the CA certificate has basic constraints.                                                                                                                                                       |
| Has Enrollment Agent Restrictions          | `hasenrollmentagentrestrictions`       | -                                   | Whether the enrollment agent restrictions are enabled.                                                                                                                                                  |
| Is User Specifies San Enabled Collected    | `isuserspecifiessanenabledcollected`   | -                                   | Whether the EditFlags registry value of the CA host has been collected.                                                                                                                                 |
| Is User Specifies San Enabled              | `isuserspecifiessanenabled`            | -                                   | Whether the CA host has the *user specifies SAN*  (`EDITF_ATTRIBUTESUBJECTALTNAME2`) flag present in its EditFlags registry value.                                                                      |
| Last Collected by BloodHound               | `lastcollected`                        | -                                   | The most recent time the object was collected and ingested in BloodHound.                                                                                                                               |
| Last Seen by BloodHound                    | `lastseen`                             | -                                   | The most recent time the object or a reference to it was collected and ingested in BloodHound.                                                                                                          |
| Role Separation Enabled Collected          | `roleseparationenabledcollected`       | -                                   | Whether the RoleSeparationEnabled registry value of the CA host has been collected.                                                                                                                     |
| Role Separation Enabled                    | `roleseparationenabled`                | -                                   | Whether the CA host enforces role separation i.e. users are not permitted to have the CA Administrator role and if they have the Certificate Manager role and vice versa;                               |
| Unresolved Published Certificate Templates | `unresolvedpublishedtemplates`         | `certificateTemplates`              | The published certificate templates which could not be found.                                                                                                                                           |
| -                                          | `name`                                 | `name` + domain name                | Name of the object + @ + the name of the domain.                                                                                                                                                        |

## Edges

The following edge types may be linked to/from this node. See the [edges documentation](/resources/edges) for more information on the edge types.

### Incoming edges

|                                                            |                           |
| ---------------------------------------------------------- | ------------------------- |
| **Edge type**                                              | **Entity panel category** |
| [Enroll](/resources/edges/enroll)                          | Inbound Object Control    |
| [GenericAll](/resources/edges/generic-all)                 | Inbound Object Control    |
| [GenericWrite](/resources/edges/generic-write)             | Inbound Object Control    |
| [HostsCAService](/resources/edges/hosts-ca-service)        | PKI Hierarchy             |
| [IssuedSignedBy](/resources/edges/issued-signed-by)        | PKI Hierarchy             |
| [ManageCA](/resources/edges/manage-ca)                     | Inbound Object Control    |
| [ManageCertificates](/resources/edges/manage-certificates) | Inbound Object Control    |
| [Owns](/resources/edges/owns)                              | Inbound Object Control    |
| [PublishedTo](/resources/edges/published-to)               | Published Templates       |
| [WriteDacl](/resources/edges/write-dacl)                   | Inbound Object Control    |
| [WriteOwner](/resources/edges/write-owner)                 | Inbound Object Control    |

### Outgoing edges

|                                                          |                           |
| -------------------------------------------------------- | ------------------------- |
| **Edge type**                                            | **Entity panel category** |
| [EnterpriseCAFor](/resources/edges/enterprise-ca-for)    | PKI Hierarchy             |
| [IssuedSignedBy](/resources/edges/issued-signed-by)      | PKI Hierarchy             |
| [TrustedForNTAuth](/resources/edges/trusted-for-nt-auth) | PKI Hierarchy             |

## References

* [https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/designing-and-implementing-a-pki-part-i-design-and-planning/ba-p/396953](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/designing-and-implementing-a-pki-part-i-design-and-planning/ba-p/396953) 
* [https://learn.microsoft.com/en-us/windows/win32/adschema/c-pkienrollmentservice](https://learn.microsoft.com/en-us/windows/win32/adschema/c-pkienrollmentservice)
