A C# programme called Certify is intended for listing and taking advantage of Active Directory Certificate Services (AD CS) misconfigurations. In an Active Directory context, it especially focuses on discovering vulnerabilities linked to certificate templates and associated permissions.The application enables security administrators and experts to evaluate the security posture of their AD CS setup, spot any possible weak points, and take the necessary precautions to reduce risks.

Certify is a C# tool tailored for the purpose of identifying and exploiting misconfigurations in Active Directory Certificate Services (AD CS). It is particularly focused on uncovering vulnerabilities related to certificate templates and their permissions within an Active Directory environment. Security professionals and administrators can utilize Certify to evaluate the security status of their AD CS deployment, identify potential weaknesses, and implement measures to mitigate associated risks.


Certify is a tool that needs to be compiled before use. The developers provide compile instructions in the README file, but generally, itinvolves using Visual Studio 2019 Community Edition to build the project. You would open the Certify solution file (.sln), choose the "Release" configuration, and build the project.

Please note that the developers do not provide precompiled binaries, so users need to compile the tool themselves.

How to Use

Certify provides various commands for different actions.Below are some examples of commands and their purposes:

  • Certify.exe     cas: Find information about all registered CAs.
  • Certify.exe     find: Find all enabled certificate templates.
  • Certify.exe     find /vulnerable: Find vulnerable/abusable certificate templates.
  • Certify.exe     pkiobjects: Enumerate access control information for PKI objects.
  • Certify.exe     request: Request a new certificate using the current user or machine     context.
  • Certify.exe     download: Download an already requested certificate.

These are just a few examples. The tool provides severalother commands and options. Users need to execute the appropriate command basedon their objectives, such as identifying vulnerable templates, requestingcertificates, or analyzing access control information.

Additional Information

Certify outputs detailed information about the identified vulnerabilities, including CA names, template names, permissions, and potential risks associated with each template.

The README file includes defensive considerations, compile instructions, and additional information on running Certify through PowerShellor PSRemoting.

Certify has been designed to be used by security professionals for offensive security testing, and it's important to understand the potential impact and risks associated with its use.

The tool was released at Black Hat 2021, and users are encouraged to refer to the provided whitepaper for prevention and detection guidance.

Table of Contents: