This article applies to BHCE and BHE

The edge indicates that a certificate template includes an issuance policy as a certificate extension.

Abuse Info

An attacker may perform the ADCS ESC13 abuse which relies on an issuance policy included in a certificate. This relationship alone is not enough to escalate rights or impersonate other principals.

Opsec Considerations

When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.