4

The Windows MMC Certificates snap-in lets an Administrator work with "Service account", but how are those certificates accessed by a service?

If I import to Personal as an Administrator using "Service account", and my service running as a standard user looks in StoreLocation.CurrentUser (or StoreLocation.LocalMachine) using System.Security.Cryptography.X509Certificates.X509Store, it does not find the certificate.

If instead I logon as the service account and import the certificate to Personal from that standard user account, then the certificate is found by the service.

Where does the snap-in put the certificate for "Service account", and how does a service find it using the .NET classes?

Jim Flood
  • 8,144
  • 3
  • 36
  • 48

2 Answers2

3

The certificates are stored in the registry under HKLM. For example, if the service name is MYSERVICE then the Personal store certificates are here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\MYSERVICE\SystemCertificates\My\Certificates]

This MSDN page has more details: System Store Locations

I don't see where the private key is held -- perhaps in the blob data. To access this store from .NET I would have to P/Invoke (cf. here.)

I don't plan to use the "Service account" so I'm not looking further.

Jim Flood
  • 8,144
  • 3
  • 36
  • 48
  • I had trouble finding certificates that I expected to show up under CertMgr for a Service Account (LocalService/NetworkService), however I've noticed that service account certificates can be found here instead (possibly depending upon the `X509KeyStorageFlags` value used) when using the NetFx `X509Store` class to add certificates: `%SystemRoot%\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates` – Thracx May 02 '19 at 15:04
0

Ugh. I never use Service Account. I always use Computer Account when installing SSLs to be used by IIS. Are you sure you need to use Service Account? If so, you probably should ask the pros at Server Fault (http://serverfault.com/).

anon
  • 4,578
  • 3
  • 35
  • 54