Ansible Role: ADCS (Ludus)

This Ansible Role installs Active Directory Certificate Services (ADCS) on Windows Server and can set up Certified Preowned templates if needed.

• Converts the VM with the "badsectorlabs.adcs" role into a Certificate Authority.
• Can create certificate templates for ESC1, 2, 3, and 13.
• Can set up ATTRIBUTESUBJECTALTNAME2 on CA for ESC6.
• Can enable web enrollment for ESC8.
• For ESC13, can create a user (esc13user), group (esc13group), template (ESC13), and an Issuance policy (IssuancePolicyForESC13).

[!WARNING] This role is not idempotent! If you set a ludus_adcs_escX value to true, run the role, then change it to false and run the role again, it will NOT remove the template that was set to false.

Requirements

There are no specific requirements.

Role Variables

Here are the available variables along with their default values (see defaults/main.yml):

• ludus_adcs_domain: Gets the netbios name of the assigned domain.

• ludus_adcs_dc: Gets the VM name of the primary Domain Controller for that domain.

• ludus_adcs_ca_host: Retrieves the hostname for this host from the settings.

• ludus_adcs_domain_username: Combines the domain name with the admin username.

• ludus_adcs_domain_password: Password for the admin user.

• ludus_adcs_ca_common_name: Sets the common name for the CA.

• Features ESC options: These can be set to true or false for specific configurations:

  • ludus_adcs_esc1: true
  • ludus_adcs_esc2: true
  • ludus_adcs_esc3: true
  • ludus_adcs_esc3_cra: true
  • ludus_adcs_esc4: true
  • ludus_adcs_esc6: true
  • ludus_adcs_esc8: true
  • ludus_adcs_esc13: true

• Variables for ESC13:

  • ludus_adcs_esc13_user: esc13user
  • ludus_adcs_esc13_password: ESC13password
  • ludus_adcs_esc13_group: esc13group
  • ludus_adcs_esc13_template: ESC13

Dependencies

No dependencies are required.

Example Playbook

Here’s an example of how to use this role in a playbook:

- hosts: adcs_hosts
  roles:
    - badsectorlabs.ludus_adcs
  vars:
    ludus_adcs_domain: mydomain
    ludus_adcs_ca_host: CAHOST
    ludus_adcs_domain_username: "mydomain\\Administrator"
    ludus_adcs_domain_password: P@ssw0rd
    ludus_adcs_ca_common_name: mydomain-CA
    ludus_adcs_ca_web_enrollment: true
    ludus_adcs_esc1: true
    ludus_adcs_esc2: true
    ludus_adcs_esc3: true
    ludus_adcs_esc3_cra: true
    ludus_adcs_esc4: true
    ludus_adcs_esc6: true
    ludus_adcs_esc8: true
    ludus_adcs_esc13: true

Example Ludus Range Config

Here's a configuration example:

ludus:
  - vm_name: "{{ range_id }}-ad-dc-win2022-server-x64-1"
    hostname: "{{ range_id }}-DC01-2022"
    template: win2022-server-x64-template
    vlan: 10
    ip_last_octet: 11
    ram_gb: 6
    cpus: 4
    windows:
      sysprep: true
    domain:
      fqdn: ludus.domain
      role: primary-dc
    roles:
      - badsectorlabs.ludus_adcs
    role_vars:
      ludus_adcs_esc6: false # By default, ESC1,2,3,4,6,8, and 13 are enabled

License

GPLv3

Some of the code is based on tasks from GOAD (also GPLv3).

The project ADCSTemplate is licensed under the MIT license and was created by Ashley McGlone.

Author Information

This role was created in 2024 by Bad Sector Labs for Ludus.