Grant-CPermission only works with legacy CryptoAPI cert store not CNG store

Question

Grant-CPermission only works with legacy CryptoAPI cert store not CNG store

kjsmithtx opened this issue 6 years ago · comments

If a certificate is of the type that gets stored in the CNG store and not the CryptoAPI store, then the Grant-CPermission cannot find it and errors. This is how I handled it in my code, maybe you can include this capability in Carbon:

	# legacy CryptoAPI store
	if ($MyCert.PrivateKey)
	{
		$MyCertPath = $CertPath + '\' + $MyCert.Thumbprint
		Grant-CPermission -Identity $ServiceUser -Permission 'GenericRead' -Path $MyCertPath
	}
	# CNG store
	else
	{
		# Identify the user you'll be granting permission to
		$Grantee = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList ($ServiceUser)
		$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($MyCert)
		$CertFile = $rsaCert.key.UniqueName
		$MyCertPath = "$env:ALLUSERSPROFILE\Microsoft\Crypto\Keys\$CertFile"
		$CertPermissions = Get-Acl -Path $MyCertPath
		$access_rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList ($Grantee, 'Read', 'None', 'None', 'Allow')
		$CertPermissions.AddAccessRule($access_rule)
		Set-Acl -Path $MyCertPath -AclObject $CertPermissions
	}

Aaron Jensen · Answer 1 · Fri Jan 11 2019 01:55:23 GMT+0800 (China Standard Time)

This is really awesome! Are there any other ways to detect if a certificate is in the CNG store other than checking the PrivateKey property?

kjsmithtx · Answer 2 · Fri Jan 11 2019 02:56:54 GMT+0800 (China Standard Time)

Here is some discussion on other ways
https://stackoverflow.com/questions/17185429/how-to-grant-permission-to-private-key-from-powershell/22146915#22146915

Aaron Jensen · Answer 3 · Sat Sep 07 2019 04:29:13 GMT+0800 (China Standard Time)

Can you generate a certificate I can use to duplicate this issue? Or show me how?