From my reading of this change this is Intune server-side only. So certmonger should be unaffected. certmonger does not issue certificates but acts on behalf of users to request and renew them.

Hi @rcritten,
In my company we have already implemented certificate login with our Linux devices (certificate issued with certmonger) against our Microsoft ADFS (it does the authentications against the AD), and the AD is skipping the insecure certificate warning due to the strength it have been implemented following the KB5014754 vulnerability.
This is the event that appears in the AD regarding the certificate when it authenticates:

The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: lloorens Certificate Subject: @@@CN=lloorens Certificate Issuer: CA Certificate Serial Number: 110000DXXXXXX Certificate Thumbprint: 451DXXXXXX Certificate Issuance Policies:

So it seems that somehow the SID of the object in AD will have to be implemented on the certificate.

This is the certmonger command I use to issue certificates currently:

getcert request -I lloorens -c "CA" -N "CN=lloorens" -D lloorens -L "pass_challenge" -K email -k /etc/ssl/certs/lloorens.key -f /etc/ssl/certs/lloorens.crt -p passwd.txt

How could I add (such as via explicit mapping, key trust mapping, or a SID)?

Thanks you very much for this aplication!!

From my reading you can use certificate mapping today to avoid the audit messages. See https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_certmap

Otherwise yes, it looks certmonger would need a way to include a SID into the CSR. I found https://blog.qdsecurity.se/2022/05/27/manually-injecting-a-sid-in-a-certificate/ which appears to cover the process pretty well. How well that would adapt to certmonger I don't know.

Honestly, I wouldn't know how to implement what the link with certmonger indicates.
I would see a possible solution that certmonger can admit an OID as a parameter and pass it the hex of the SID that I already take out of the AD to include it in the certificate.

What is clear to me then, is that all the certificates that I now have issued and are authenticating, there is no technical solution to solve this that Microsoft now requires.

Otherwise, you can always put the issuer that issues all client certificates in the object's altSecurityIdentities attribute in AD as Microsoft instructs:

This mapping is done on AD side, not on the client requesting the certificate.

Yes, but as you indicate, adding that, it will no longer deny user authentication if the certificate does not contain the user's OID and SID.

Still, it would be nice to get certmonger to create it.

A question,
is it possible with certmonger to create a csr file with the extensions you need and make the request with it?

Example: add a URI extension (which certmonger can't by parameter) with the data you want.

Thank you.

It is not possible to add extensions that certmonger doesn't support.