Grant-CPermission only works with legacy CryptoAPI cert store not CNG store
kjsmithtx opened this issue · comments
If a certificate is of the type that gets stored in the CNG store and not the CryptoAPI store, then the Grant-CPermission cannot find it and errors. This is how I handled it in my code, maybe you can include this capability in Carbon:
# legacy CryptoAPI store
if ($MyCert.PrivateKey)
{
$MyCertPath = $CertPath + '\' + $MyCert.Thumbprint
Grant-CPermission -Identity $ServiceUser -Permission 'GenericRead' -Path $MyCertPath
}
# CNG store
else
{
# Identify the user you'll be granting permission to
$Grantee = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList ($ServiceUser)
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($MyCert)
$CertFile = $rsaCert.key.UniqueName
$MyCertPath = "$env:ALLUSERSPROFILE\Microsoft\Crypto\Keys\$CertFile"
$CertPermissions = Get-Acl -Path $MyCertPath
$access_rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList ($Grantee, 'Read', 'None', 'None', 'Allow')
$CertPermissions.AddAccessRule($access_rule)
Set-Acl -Path $MyCertPath -AclObject $CertPermissions
}
This is really awesome! Are there any other ways to detect if a certificate is in the CNG store other than checking the PrivateKey
property?
Here is some discussion on other ways
https://stackoverflow.com/questions/17185429/how-to-grant-permission-to-private-key-from-powershell/22146915#22146915
Can you generate a certificate I can use to duplicate this issue? Or show me how?