If I needed to give a certificate an additional permission as described below, where do I even begin with in Powershell? There must be a Windows commandline executable that I have to start with from commandline. Only then I could think about writing it in a powershell script, correct?
- Click Start, type mmc in the Search programs and files box, and then press ENTER.
- On the File menu, click Add/Remove Snap-in.
- Under Available snap-ins, double-click Certificates.
- Select Computer account, and then click Next.
- Click Local computer, and then click Finish. Click OK.
- Under Console Root, Certificates (Local Computer), in the Personal store, click Certificates.
- Right-click xxAzurehost1 certificate that has been created earlier. Choose All Tasks > Manage Private Keys. Click Add and then Advanced.
Click Locations and choose your local computer. Click Find Now. Select
NETWORK SERVICE in the search results and click OK. Click OK. In the
Permissions for xxxazurehost1 private keys window, select NETWORK
SERVICE and give Read permissions. Click OK.
To control the ACL for the private key all you have to do is edit a file ACL. The trick is to find which file.
Private keys are stored in:
On XP:
Under here you’ll see keys organized by algorithm e.g. DSS, RSA.
The User Store will be subfolder with a user SID. The Local Machine store will be in subfolder:
Here’s a way to get the file which stores the private key information for your cert.
First go into the local machine personal certificate store:
Now you have to get a handle to your cert. There’s more than one way to do this, here’s one using the thumbprint:
Now you can find the private key file name like this:
$keyFile will be the FileInfo object you can change the ACL on with either Set-ACL or icacls.exe