How do you install a certificate in a PFX file in to the personal container of the NT-AUTHORITY\NetworkService?

Question

I have a .PXF file used to strongly name several of our .NET assemblies. VS2010/MSBUILD seems to expect this to be in the personal container for the user account running VS2010/MSBUILD. This is all just fine and dandy when working in an interactive user account, but when atempting an automated build via TFS 2010 on the build agent the account used by the build agent (by default) is NT-AUTHORITY/NetworkService.

Since I cannot log in an interacive session as NetworkService I cant just install the PFX from an interactive sessions shell.

So can anyone tell me how I install a PFX certificate in the personal cert store of the NetworkService account?

Answer 1

You need to open the Network Service certificate store, and add it.

To open the store:

• From Start | Run: mmc.exe
• File | Add/Remove Snapins and select Certificates then Add.
• When prompted for the type of account select Service Account
• Select local/remote computer as required
• Select any service that's running as Network Service ("Remote Procedure Call (RPC)" run as Network Service by default)
• Finish the wizard and OK to close the add/remove dialog.
• On the applicable catrgory right click and select add tasks to find the import etc. operations.

Answer 2

The above accepted answer did not work for me. But using psexec utility from Microsoft / sysinternals did the trick for me.

1. Download psexec. https://docs.microsoft.com/en-us/sysinternals/downloads/pstools

2. Open up a new console using psexec that will run as NETWORK SERVICE:

   .\PsExec64.exe -i -u "nt authority\network service" powershell

3. Run mmc

4. Add snapin for Certificate and use certificates from "My User Account"

5. Do whatever you want with the personal certificates for this account

All personal certificates should be visible for NETWORK SERVICE now. This is somehow not the same certificates as I got when doing the accepted answer on a service that were running as NETWORK SERVICE.

This was at least needed for me to run the tool mage.exe that had a hard time doing code signing under the NETWORK SERVICE account since it only uses personal certificates.