• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

Windows Private Key Permissions

March 17, 2023 by Mister PKI Leave a Comment

This article will demonstrate how to manage Windows Private Key Permissions. If you have a Windows Service running as a user or service account that needs access to a private key, you will receive certificate errors if the account does not have the correct permissions.

For example, the default NETWORK SERVICE account may be running a service that needs access to an installed private key.

Check Private Key Permissions in Windows

First, open the certificates snap in by following these steps.

  1. Press the Window Key + r to open the run command.
  2. Enter mmc and click OK.
  3. In the Console Window, click File -> Add/Remove Snap in…
  4. Select the Certificates snap-in and click Add >, click Computer account, click Next, click Finish, then click OK

Now that you are in the Certificates snap-in, navigate to the Personal certificate store and click on the certificate you are wanting to inspect. Console Root -> Certificates (Local Computer) -> Personal -> Certificates.

Right click on the certificate you are interested in and select All Tasks -> Manage Private Keys…

Inspect the permissions for the groups or user names and their corresponding permissions.

Add Private Key Permissions in Windows

In the same permissions screen navigated to in the previous section, add or remove user accounts to the private key permissions. Check whether or not they should have Full control, read, or Special permissions and click OK.

If you are adding permissions to the NETWORK SERVICE account, you may have to select the additional search parameters to include local computer or network accounts.

Windows Private Key Management in Powershell

Alternatively you can manage private key permissions in Powershell. Consider the following Powershell script.

# Get the certificate and private key
$cert = Get-ChildItem Cert:\LocalMachine\My\<certificate id>
$key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
# Get the file permissions
$name = $key.key.UniqueName
$path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\Keys$name"
$permissions = Get-Acl -Path $path
# Create the permission
$permission = New-Object security.accesscontrol.filesystemaccessrule "NETWORK SERVICE", "FullControl", allow
# Apply the permission
$permissions.AddAccessRule($permission)
Set-Acl -Path $path -AclObject $permissions

Conclusion

This article has demonstrated how to inspect, add, and remove private key permissions in Windows. Let us know in the comments if you have any questions. If this article was helpful, please read more of our content.

SSL Certificates

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • Proxy Addresses Active Directory
  • Windows Private Key Permissions
  • Install .NET 3.5 on Windows Server 2019
  • Netscaler SSL Redirect
  • How to mount NFS share on Linux

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2023