Reputation: 62746
How to grant an account permissions to access a certificate?
I have a certificate in the MSMQ service Personal store and I need to grant the Network Service the permissions to access the certificate.
The only way that I know of to do it is using the certutil.exe on win2008/7 like so:
certutil -service -service -repairstore MSMQ\My "" D:PAI(A;;GA;;;BA)(A;;GA;;;SY)(A;;GR;;;NS)
However, certutil on win2003/XP does not recognize the -service parameter, so no good.
My question is how can I do it in a way that works for both Win2003/XP and Win2008/7?
I need a non interactive approach (command line utility, script, COM/.NET/Win32 API).
Upvotes: 7
Views: 55180
Answers (2)
Reputation: 87
We had a similar problem with a scheduled app that posts to secured site.
The certificate store was not accessible by the client. The link posted below mentioned managing the certificates from the windows 2008 r2 mmc snap in and granting access to the user account in question. We were able to run the schedule process this way and grant access to the account running the client.
The other solution, via the scheduler, was to grant the highest level of access for the program (SECURITY RISK) and allowing it run like an admin.
Here is the link referenced above http://msmvps.com/blogs/luisabreu/archive/2010/09/13/grant-access-to-certificate-s-private-key-in-iis-7-5.aspx
Upvotes: 1
Reputation: 8467
If you just need to set ACL rights on the certificate's private key (which your linked page suggests), I just recently posted an answer here on how I found to do that.
Open the X509Store and get the current certificate in hand, and then set the ACL on the private key.
You can use something like this to get the SID of the account needing access (or just use the well-known SID S-1-5-20 if you know it's always Network Service):
NTAccount nt = new NTAccount("NT_AUTHORITY", "NetworkService");
SecurityIdentifier sid = (SecurityIdentifier)nt.Translate(typeof(SecurityIdentifier));
My other answer has the code that sets the ACL. (Caveat: I've run it on Windows Server 2003 but not XP.)
Upvotes: 5
Related Questions
- LogonSessionId account assigned Read access in new certificates?
- How to Grant permission to user on Certificate private key using powershell?
- User account has no access to private key of Client certificate
- Grant user permission to the private key
- (NET6+) Grant user read permission on certificate's private key
- grant private key access for account NT Authority\Network Service
- Windows 2008 R2 permissions for accessing certificate stores from IIS
- Setting Private Key permissions for a Certificate in Win Server 2008
- Grant permission to user to view local computer certificate store
- Set read permission for certificate from command line