Locksmith Version Released with Multi-Domain Forest Bug Fix

By /

Listen to this Post

Jake Hildreth has announced the release of Locksmith version 2025.4.20, featuring a major bug fix for multi-domain forest environments. This update resolves issues where Locksmith incorrectly reported Certificate Authorities (CAs) as unavailable.

Key updates in this release:

  • Multi-domain forest compatibility (Bug fix contributed by Jonathan Colón)
  • Updated ESC15 remediation script
  • Enhanced examples and documentation
  • DevOps improvements by Sam Erde

Download & Installation

  • GitHub Release: Locksmith v2025.4.20
  • PowerShell Install: 
    Install-Module -Name Locksmith -Scope CurrentUser -Force

You Should Know: Essential Locksmith & PKI Commands

1. Checking Available CAs in a Multi-Domain Forest

Use this PowerShell command to verify CAs:

Get-AdForest | Select-Object -ExpandProperty Domains | ForEach-Object { Get-CertificationAuthority -ComputerName $_ }

2. ESC15 Remediation Script

If dealing with ESC15 vulnerabilities, apply the updated remediation script: 

Invoke-ESC15Remediation -ForestRoot "corp.example.com" -Force

3. Debugging Locksmith Issues

Enable verbose logging:

Import-Module Locksmith -Verbose -Force

4. Linux Alternative: OpenSSL PKI Checks

For Linux-based PKI checks:

openssl s_client -connect ca-server.corp.example.com:443 -showcerts

5. Windows CA Backup & Restore

Backup a CA database:

Backup-CARoleService -Path "C:\CA_Backup" -Password (ConvertTo-SecureString -String "YourPassword" -AsPlainText -Force)

6. Auditing Certificate Templates

List vulnerable certificate templates:

Get-CertificateTemplate | Where-Object { $_.SchemaVersion -lt 2 } | Format-Table Name, SchemaVersion

What Undercode Say

Locksmith remains a critical tool for PKI security, especially in Active Directory environments. The latest update fixes a longstanding issue in multi-domain setups, making it more reliable for enterprise deployments.

Additional Security Checks

  • Linux: Check for rogue CAs in logs: 
    journalctl -u certmonger --no-pager | grep "CA_ERROR"
  • Windows: Verify CA service health: 
    Get-Service -Name certsvc | Select-Object Status, StartType
  • OpenSSL: Verify a CA certificate chain: 
    openssl verify -CAfile root-ca.pem intermediate-ca.pem

Expected Output:

[/bash]

Status Name DisplayName

Running certsvc Active Directory Certificate Services

[bash]

For more details, visit the Locksmith GitHub.

References:

Reported By: Jakehildreth Release – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: