This article will demonstrate how to manage Windows Private Key Permissions. If you have a Windows Service running as a user or service account that needs access to a private key, you will receive certificate errors if the account does not have the correct permissions.
For example, the default NETWORK SERVICE account may be running a service that needs access to an installed private key.
Check Private Key Permissions in Windows
First, open the certificates snap in by following these steps.
- Press the Window Key + r to open the run command.
- Enter mmc and click OK.
- In the Console Window, click File -> Add/Remove Snap in…
- Select the Certificates snap-in and click Add >, click Computer account, click Next, click Finish, then click OK
Now that you are in the Certificates snap-in, navigate to the Personal certificate store and click on the certificate you are wanting to inspect. Console Root -> Certificates (Local Computer) -> Personal -> Certificates.
Right click on the certificate you are interested in and select All Tasks -> Manage Private Keys…
Inspect the permissions for the groups or user names and their corresponding permissions.
Add Private Key Permissions in Windows
In the same permissions screen navigated to in the previous section, add or remove user accounts to the private key permissions. Check whether or not they should have Full control, read, or Special permissions and click OK.
If you are adding permissions to the NETWORK SERVICE account, you may have to select the additional search parameters to include local computer or network accounts.
Windows Private Key Management in Powershell
Alternatively you can manage private key permissions in Powershell. Consider the following Powershell script.
# Get the certificate and private key
$cert = Get-ChildItem Cert:\LocalMachine\My\<certificate id>
$key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
# Get the file permissions
$name = $key.key.UniqueName
$path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\Keys$name"
$permissions = Get-Acl -Path $path
# Create the permission
$permission = New-Object security.accesscontrol.filesystemaccessrule "NETWORK SERVICE", "FullControl", allow
# Apply the permission
$permissions.AddAccessRule($permission)
Set-Acl -Path $path -AclObject $permissions
Conclusion
This article has demonstrated how to inspect, add, and remove private key permissions in Windows. Let us know in the comments if you have any questions. If this article was helpful, please read more of our content.
Leave a Reply