Active Directory / LDAP Scanner

The Active Directory Scanner connects to AD/LDAP to discover certificates issued by internal CAs, certificate templates, and CA configurations.

What It Scans

• Active Directory Certificate Services (ADCS) — internal PKI infrastructure
• LDAP certificate attributes — certificates stored in directory objects
• CA configurations — certificate authority settings and templates

How It Works

1. Connects to the AD/LDAP server using configured credentials
2. Authenticates via simple bind or NTLM
3. Queries the configuration naming context for CA and template information
4. Enumerates issued certificates from CA databases
5. Searches user/computer objects for certificate attributes (userCertificate, cACertificate)
6. Extracts certificate template configurations and enrollment settings

Configuration

scanners:
  active-directory:
    - forests:
        - name: corp.example.com
          auth_type: simple
          username: svc_scanner
          password: scannerpass
          domain: CORP
          use_ssl: true
          domains:
            - server: dc01.corp.example.com
              base_dn: DC=corp,DC=example,DC=com

Parameter	Required	Default	Description
forests[].name	Yes	—	Forest DNS name
forests[].auth_type	Yes	—	Authentication type: simple or ntlm
forests[].username	Yes	—	Service account username
forests[].password	Yes	—	Service account password
forests[].domain	No	—	NetBIOS domain name (for NTLM)
forests[].use_ssl	No	true	Use LDAPS (port 636)
forests[].domains[].server	Yes	—	Domain controller hostname
forests[].domains[].base_dn	Yes	—	LDAP base distinguished name

Assets Produced

Asset Type	What’s Captured
certificate	CA certificates, issued certificates, subject, issuer, template name, enrollment flags
public-key	Algorithm, key size (extracted from certificates)

What Gets Captured

Category	Details
CA certificates	Root and issuing CA certificates, CA name, validity
Issued certificates	Certificates issued to users/computers/services
Certificate templates	Template name, key usage, key size requirements, validity period
Enrollment settings	Auto-enrollment status, permitted requestors

Deduplication

Certificates are deduplicated using SHA-256 of DER-encoded certificate bytes. Certificates found in multiple AD objects (e.g., published to both user and computer objects) appear once with all locations referenced.

Use Cases

• Discover all certificates issued by internal CAs — get complete visibility into enterprise PKI
• Find expired or weak certificates in Active Directory that may still be trusted
• Audit certificate templates — identify templates with overly permissive settings (ESC vulnerabilities)
• Track CA certificate expiry — ensure root and issuing CA certificates are rotated before expiry

Example Output

{
  "type": "certificate",
  "fingerprint": "sha256:b8c9d0e1f2a3...",
  "subject": "CN=Corp Issuing CA, DC=corp, DC=example, DC=com",
  "issuer": "CN=Corp Root CA, DC=corp, DC=example, DC=com",
  "serialNumber": "61:00:00:00:02:...",
  "signatureAlgorithm": "SHA256withRSA",
  "notValidBefore": "2020-01-01T00:00:00Z",
  "notValidAfter": "2030-01-01T00:00:00Z",
  "isCA": true,
  "templateName": null,
  "source": {
    "scanner": "active-directory",
    "forest": "corp.example.com",
    "server": "dc01.corp.example.com",
    "dn": "CN=Corp Issuing CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=example,DC=com"
  }
}

{
  "type": "certificate",
  "fingerprint": "sha256:c9d0e1f2a3b4...",
  "subject": "CN=john.doe@corp.example.com",
  "issuer": "CN=Corp Issuing CA, DC=corp, DC=example, DC=com",
  "signatureAlgorithm": "SHA256withRSA",
  "notValidAfter": "2025-03-15T00:00:00Z",
  "isCA": false,
  "templateName": "User",
  "keyUsage": ["digitalSignature", "keyEncipherment"],
  "source": {
    "scanner": "active-directory",
    "forest": "corp.example.com",
    "server": "dc01.corp.example.com",
    "dn": "CN=John Doe,OU=Users,DC=corp,DC=example,DC=com",
    "attribute": "userCertificate"
  }
}

---

← Back to Scanners Overview | Sensor Setup Guide