2

I have a managed service account which needs a certificate in its personal store for decryption. I tried opening the Certificates snap-in and pointing to the service, but when I right-click on the "Personal" store the Request New Certificate option is not available. I only have Import... and Advanced Operations > Create Custom Request.

I tried creating a custom request in a number of different ways, but the certificate comes back with my user DN listed in the subject field, and the private key ends up in my current user's Certificate Enrollment Requests store.

I'd rather not abandon using a managed service account, but at this point it appears that I might have to. Any insights would be greatly appreciated.

bshacklett
  • 1,378
  • 4
  • 19
  • 39
  • I don't have the answer, but just for clarification. Is this a standalone managed service account or a group managed service account? – Ryan Bolger Apr 28 '15 at 22:12
  • It's a standalone managed service account. Unfortunately, we haven't got licensing for 2012, yet. – bshacklett Apr 29 '15 at 14:21
  • If you are using the standard MS key store providers (i.e. not an HSM), you could probably create the certificate in your own store, complete the request, export from your store to a PFX and re-import to the store for your service. – jimbobmcgee Nov 13 '15 at 11:30
  • If you *are* using an HSM-backed provider, which prohibits export (as I was when I came here looking), you might be out of luck. My possible thoughts are to impersonate the MSA in code, then open the Current User store (good luck getting the impersonation token of an MSA, though); or to use GPO to deploy the certificte (presuming that MSAs will implement GPO settings, which I bet they won't) – jimbobmcgee Nov 13 '15 at 11:32
  • @jimbobmcgee nice idea. I'll be trying this soon – bshacklett Nov 17 '15 at 01:25

0 Answers0