Cmdlet Idea: Grant-PrivateKeyAccess

[Viajaz]

A Cmdlet which grants Permissions to the Private Key of a Certificate in the Certificate Store would be useful.

Example: $Certificate could perhaps be location such as cert:\LocalMachine\My\FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF or perhaps just thumbprint? $Identity would be the security principal (eg: NETWORK SERVICE or DOMAIN\user) Permission parameter being either FullControl or Read

Grant-PrivateKeyAccess -Certificate $Certificate -Identity $Identity -Permission 'FullControl'

There is a Question-and-Answers on StackOverflow (How to Grant permission to user on Certificate private key using powershell?) on how to grant permissions but seemingly, anecdotally, doesn't seem reliable across platforms and use-cases, I also wonder if the example code provide would work with non-RSA keys but an answer I provided to another StackOverflow Question is useful in obtaining the absolute path of a Certificate Container.

Such a Cmdlet would be useful in order to automate configuration of key access after Certificate Installation as part of installation of a service or other such software.

[Sleepw4lker]

Hallo, many thanks for your feedback. Have a look at this. I plan to integrate this into the module in an upcoming version.

[Viajaz]

In regards to https://github.com/Sleepw4lker/OcspManager/blob/master/lib/Set-CertificatePrivateKeyPermissions.ps1 It could be useful to have Parameter $Certificate be set to accept ValueFromPipeline when you port it over as well as another parameter to specify System.Security.AccessControl.CryptoKeyRights

[ckrueger1979]

This works for regular (software based keys) and also for keys located in a HSM https://github.com/microsoft/GuardedFabricTools/blob/master/CertificateManagement/CertificateManagement.psm1