4

Can anyone point me in the right direction for managing read permissions for certificates from the command line? I'm scripting our certificate installation, and need to allow NetworkService to access 2 certificates in the "Local Computer\Personal\Certificates" store.

Thanks in advance

jaspernygaard
  • 3,098
  • 5
  • 35
  • 52

1 Answers1

4

I've done that to grant a our web application access to a private key of a cert that was installed in windows.

Here's a powershell script. It relies on FindPrivateKey.exe from Microsoft.

# Use FindPrivateKey.exe (From Windows SDK) to get the file name of the private key.
$s = cmd /c "FindPrivateKey.exe My LocalMachine -t   `"9D1F685D554E5B04C591D7967FB0D151153A25D8`" -a"

# Grant read access on the private key
cmd /c "cacls.exe `"$s`" /E /G `"IIS_IUSRS`":R"
Jamey
  • 1,595
  • 9
  • 23
  • I think I got FindPrivateKey.exe from Windows Communication Foundation (WCF) Samples @ http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21459. – Jamey Aug 31 '11 at 22:42
  • Thanks, I've got FindPrivateKey.exe - I'll try it out! – jaspernygaard Sep 01 '11 at 12:11
  • I'm putting this in a batch script and for some odd reason, findprivatekey.exe doesn't find the specified certificate when run from the batch file, but works perfectly from the command line!? – jaspernygaard Sep 01 '11 at 14:52
  • Are you running the batch script under the same user account as when you run from the command line? If you used my example, it's powershell. In that case is it a .ps1 file? – Jamey Sep 01 '11 at 18:25
  • Yeah using the exact same console to invoke findprivatekey.exe method. When invoked from inside the batch file, it returns no certificate path - when directly in the console, it finds it perfectly. Strange... – jaspernygaard Sep 02 '11 at 05:24
  • Works for me from dos and powershell. Are you sure you got the quotes correct? The example above assumes you're in powershell. For dos, the quotes are a little different. I created a .bat file as follows: echo find from dos shell FindPrivateKey.exe My LocalMachine -t "9D1F685D554E5B04C591D7967FB0D151153A25D8" -a echo find from powershell powershell -command ./find-privatekey.ps1 pause – Jamey Sep 02 '11 at 15:25
  • Ahh, I'm fetching the key by its name and unfortunately there's localized characters in the string. So it was a basic UTF8 error. Thanks for helping out! – jaspernygaard Sep 06 '11 at 09:05