2025-12-13 –, Rookie Track 1
Certificate-based Authentication is often thought of as superior to Password-based Authentication, especially when backed by the Enterprise's internal Certificate Authority — but how many services actually validate whether a certificate was intended for them?
This talk shines a light on the hidden danger of reusing the same Certificate Authority for multiple, unrelated services that rely on Client Authentication (clientAuth). Whilst certificate-based auth is widely regarded as “stronger than passwords,” the reality is more complicated: many services will happily accept any valid client certificate signed by a trusted CA, without enforcing whether the certificate was actually meant for that service.
We’ll walk through real-world examples — from VPN gateways to internal microservices — where a client certificate minted for one purpose can be repurposed to access a completely different system. We’ll explore why this happens, how EKUs and certificate templates are (mis)used, and why enterprises often set themselves up for cross-service trust explosions.
Ben is a Security Engineer with a focus on cloud, networking, automation, and security architecture. He has hands-on experience delivering secure infrastructures and building resilient detection and defence capabilities.