1

I want to add a certificate to the certificate store belonging to a Windows service, from the command line. So far, the only thing I've found is:

certutil -service -store ADAM_Instance-Name\My

When I run it (logged on as myself, in a Command Prompt as Administrator) it returns:

ADAM_Instance-Name\My
CertUtil: -store command FAILED: 0x80070057 (WIN32: 87)
CertUtil: The parameter is incorrect.

I've tried wrapping the Service\Store name in double quotes (same result) and single quotes (same result) and using a forward slash or space instead of the backslash, both giving:

ADAM_Instance-Name\My
CertUtil: -store command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

Can anyone help with the syntax for this command, or help with an alternative method?

user2871239
  • 185
  • 2
  • 9
  • What sort of account is the service running as? Can you log in to that same account interactively? Alternatively, have you considered adding the certificate to the computer store so that it is available to all users? (What kind of certificate is it, anyway?) – Harry Johnston Jan 17 '19 at 02:05
  • The services are running with domain accounts. It's currently possible but it won't be for long due to imminent changes in policy. You can have multiple instances of AD LDS on the same server. You could put all CNAMEs on a single cert but it becomes cumbersome to manage in an enterprise with stringent change control, so you want to be able to manage the cert at the service level. It's a server certificate (i.e. same as you'd use for SSL on a web server). – user2871239 Mar 19 '19 at 15:42

1 Answers1

0

You can't import certificate into someone's Personal (My) store. I'm not sure if "Run As..." will work, because this operation requires a user profile to be loaded. You may try to interactively log on under service account (if possible) and import the certificate.

Alternatively, you can try to install the certificate in the LocalMachine\My store and grant private key read permissions to service account.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • From my reading, certificates are stored in the registry, normally in:`HKLM\SOFTWARE\Microsoft\SystemCertificates` or `HKCU\Software\Microsoft\SystemCertificates`. I believe service certificates are stored in `HKLM\SOFTWARE\Microsoft\Cryptography\Services\_Service-name_\SystemCertificates` so I'm not sure you're correct. – user2871239 Jan 16 '19 at 13:33
  • Private keys aren't stored in registry. – Crypt32 Jan 16 '19 at 13:35
  • Aren't the private keys here: `C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys`? – user2871239 Jan 16 '19 at 13:37
  • Only machine certificates are stored there. User certificates are stored in user profiles. – Crypt32 Jan 16 '19 at 13:38
  • Yes, but these aren't user certificates. In my case, the service is running under a custom domain account so you'd think it would but it doesn't seem to matter. When I imported the certificate using the UI to the Service Account, a file appeared in that folder. The service couldn't use the certificate until I granted the service account read access on that file, so I'm inferring that that file contains the private key as if it were a LocalMachine-level certificate. – user2871239 Jan 16 '19 at 13:44
  • This is what I suggested in my answer. Install to LocalMachine and grant read permissions to your custom domain account. – Crypt32 Jan 16 '19 at 13:52
  • I was trying to avoid that as it complicates the change management process. – user2871239 Jan 16 '19 at 15:39
  • Unfortunately, there are no much choices. Certificate installed in LocalMachine with granted permissions to service account is the easiest. – Crypt32 Jan 16 '19 at 15:43
  • I may be mistaken, but I don't think logon scripts are run for services. – Harry Johnston Jan 17 '19 at 01:44
  • Yes, you are correct, logon scripts are not executed during "logon as service". – Crypt32 Jan 17 '19 at 19:41