Set PrivateKey Perms Example

1. Function Get-PrivateKeyContainerPath
2. {
3.     [CmdletBinding(PositionalBinding=$false)]
4.     Param(
5.         [Parameter(Mandatory=$True)][string][ValidateNotNullOrEmpty()] $Name,
6.         [Parameter(Mandatory=$True)][boolean] $IsCNG
7.     )
8.     If ($IsCNG)
9.     {
10.         $searchDirectories = @("Microsoft\Crypto\Keys","Microsoft\Crypto\SystemKeys")
11.     }
12.     else
13.     {
14.         $searchDirectories = @(
15.             "Microsoft\Crypto\RSA\MachineKeys",
16.             "Microsoft\Crypto\RSA\S-1-5-18",
17.             "Microsoft\Crypto\RSA\S-1-5-19",
18.             "Crypto\DSS\S-1-5-20"
19.         )
20.     }
21.     foreach ($searchDirectory in $searchDirectories)
22.     {
23.         $machineKeyDirectory = Join-Path -Path $([Environment]::GetFolderPath("CommonApplicationData")) -ChildPath $searchDirectory
24.         $privateKeyFile = Get-ChildItem -Path $machineKeyDirectory -Filter $Name -Recurse
25.         if ($null -ne $privateKeyFile)
26.         {
27.             return $privateKeyFile.FullName
28.             break
29.         }
30.     }
31.     Throw "Cannot find private key file path for key container ""$Name"""
32. }
33.    
34. ...
35.  
36. $dllPath = "$curDir\Security.Cryptography.dll"
37. if (Test-Path $dllPath)
38. {
39.     # Load the Assembly
40.     [System.Reflection.Assembly]::LoadFile($dllPath)
41.     $Certificate = Get-ChildItem "Cert:\LocalMachine\My\$SHA1Thumbprint"
42.     if ([Security.Cryptography.X509Certificates.X509CertificateExtensionMethods]::HasCngKey($Certificate))
43.     {
44.         Write-Verbose "Private Key is CNG"
45.         $privateKey = [Security.Cryptography.X509Certificates.X509Certificate2ExtensionMethods]::GetCngPrivateKey($Certificate)
46.         $keyContainerName = $privateKey.UniqueName
47.         $privateKeyPath = Get-PrivateKeyContainerPath -Name $keyContainerName -IsCNG $true
48.     }
49.     elseif ($null -ne $Certificate.PrivateKey)
50.     {
51.         Write-Verbose "Private Key CSP is Legacy"
52.         $privateKey = $Certificate.PrivateKey
53.         $keyContainerName = $privateKey.CspKeyContainerInfo.UniqueKeyContainerName
54.         $privateKeyPath = Get-PrivateKeyContainerPath -Name $keyContainerName -IsCNG $false
55.     }
56.     else
57.     {
58.         throw "Certificate `"$($Certificate.GetNameInfo("SimpleName",$false))`" does not have a private key, or that key is inaccessible, therefore permission not granted"
59.     }
60.  
61.     # Grant the "Network Service" read access to the private key
62.     $Acl = Get-Acl -Path $privateKeyPath
63.     $permission = "NT AUTHORITY\NETWORK SERVICE", "Read", "Allow"
64.     $rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
65.     $Acl.AddAccessRule($rule)
66.     Set-Acl $privateKeyPath $Acl -Verbose
67. }