Geek asks and answers

IIS 7.5 Grant Application Pool Read Permission for Private Certificate Key Using PowerShell

I searched all around and could not find much information, basically I have Windows 2008 R2, I created a PowerShell script to upload a PFX file to the certificate store on the local machine.

Now I need to grant permission to my application pool to read the private key of the certificate using PowerShell.

In the old form of Windows 2003, I just need to get the actual file sitting in the folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\, but it looks like Win 2008 is using a different folder.

Does anyone have any solution?

- update my version of the code -

function Grant-CertificatePermissions([string]$certSubject,[string]$user,[string]$permissionType,[string]$permission = $args[3])
{
    $getCert = Get-LocalMachineCertificate $certSubject
    $keypath = Get-CertificateStorePath
    $certHash = $getCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
    $certFullPath = $keypath+$certHash
    $certAcl = Get-Acl -Path $certFullPath

    try
    {
        $accessRule=new-object System.Security.AccessControl.FileSystemAccessRule $user, $permissionType, $permission
        $certAcl.AddAccessRule($accessRule)
    }
    catch [System.Exception]
    {
        throw "Invalid User Id Or Permission"
    }
    Set-Acl $certFullPath $certAcl
}

function Get-LocalMachineCertificate([string]$subject, [string]$certificateStoreLocation, [string]$certificateStoreName)
{
    $getCert = Get-ChildItem -Recurse Cert:\$certificateStoreLocation\$certificateStoreName | Where-Object {$_.Subject -eq $subject}

    if(!$getCert)
    {
        throw "Certificate Not Found"
    }

    return $getCert
}

function Get-CertificateStorePath
{
    $commonCertPathStub = "\Microsoft\Crypto\RSA\MachineKeys\"
    $programData = $Env:ProgramData
    if(!$programData)
    {
        $programData = $Env:ALLUSERSPROFILE + "\Application Data"
    }

    $keypath = $programData + $commonCertPathStub

    return $keypath
}

Get-CertificateStorePath C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\, C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d82829f7770ea5d85ef978dea67f302d_4cca7190-7e9f-46d7-b180-6656fec432e2, Get-Acl Cannot find path 'C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d82829f7770ea5d85ef978dea67f302d_4cca7190-7e9f-46d7-b180-6656fec432e2' because it does not exist..

, .

- -

function Import-PfxCertificate ([String]$certPath,[String]$certificateStoreLocation ,[String]$certificateStoreName, $pfxPassword)
{
    $pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2    

    $pfx.Import($certPath, $pfxPassword, "Exportable,PersistKeySet")    

    $store = new-object System.Security.Cryptography.X509Certificates.X509Store($certificateStoreName,$certificateStoreLocation)    
    $store.open("MaxAllowed")    
    $store.add($pfx)    
    $store.close()
    return $pfx
}
+5
3

2008 R2 C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

PowerShell , IIS :

cert:\LocalMachine\My

CD . , , :

$cert = get-item 2779B37AE3625FD8D2F9596E285C7CDC15049D87
$cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName

MachineKeys.

Set-Acl.

MMC mmc/add snapin/certificates/computer account/local computer, certificates/personal/certificates/[your cert]/all tasks/manage private keys

+2

\Personal Computer Store\Personal, $getCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName . . , .

0

powershell script, .

powershell?

link script , PowerShell.

If you use ApplicationPoolIdentity, the username will be "IIS AppPool \ AppPoolNameHere"

Note . You will need to use '' because there is a space between IIS and AppPool.

0
source

More articles:


All Articles