Skip to main content
Skip table of contents

AD CS Configuration Hardening for VeridiumID Certificate Templates

Advisory Type: Informational — Severity: Low
Date Published: 19 November 2025

1. Executive Summary

As part of Veridium’s commitment to secure deployment practices, we have updated our guidance on configuring Active Directory Certificate Services (AD CS) certificate templates used with VeridiumID.

This advisory is informational only.
It does not describe a vulnerability in Veridium software.
It provides deployment hardening recommendations to help customers ensure that their AD CS template permissions follow least-privilege best practices.

2. Description

In some AD CS environments, granting certificate enrollment permissions to broad Active Directory groups (such as Authenticated Users, Domain Users, or Domain Computers) can introduce unnecessary exposure. While VeridiumID does not require these permissions, earlier documentation did not explicitly discourage them.

The documentation has now been updated to clearly define the recommended secure configuration:

  • Only the Veridium service/computer account should have enrollment permissions

  • Broad AD groups should not have any access

  • The Veridium account should be treated as a Tier 0 identity

This aligns Veridium guidance with Microsoft AD CS hardening and current industry recommendations.

3. Impact Assessment

  • No defect or vulnerability exists in Veridium software

  • This advisory applies only to AD CS configuration choices

  • Customers following least-privilege practices are not impacted

  • No exploitation or misuse has been observed

Severity: Informational / Low

4. Recommended Customer Actions

The following actions need to be applied on Veridium Enrollment Agent certificate template. (BopsRA template).

4.1 Required Template Permissions

Grant the following permissions only to the Veridium service/computer account:

  • Read (Allowed)

  • Enroll (Allowed)

  • Autoenroll (Not required; leave disabled)

  • Write / Modify / Full Control (Not permitted)

4.2 Remove Broad Group Permissions

Verify that none of the following groups have any permissions on the Veridium certificate template:

  • Authenticated Users

  • Domain Users

  • Domain Computers

  • Users

  • Everyone

If any appear, remove them.

4.3 Treat the Veridium Account as Tier 0

The Veridium service/computer account should be handled with the same protections as:

  • Domain Controllers

  • AD FS servers

  • Privileged identity infrastructure

This includes isolation, strong credential protection, and privileged-access workstation usage.

4.4 Optional: Audit Previously Issued Certificates

Customers may review certificates issued from their VeridiumID template to identify:

  • Unexpected subject names or SANs

  • Certificates issued to unexpected accounts

  • Enrollment events from systems outside the Veridium deployment

If needed, revoke certificates and publish an updated CRL.

5. Updated Documentation

The revised deployment guidance is available here:

https://docs.veridiumid.com/docs/v3.8.3/3-3-create-the-bopsra-template

Customers should ensure all future and existing deployments follow this updated configuration.

6. Support and Disclosure Contacts

For assistance reviewing your configuration:
support@veridiumid.com

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close