May 8, 2012

Certificate access permissions

In Windows Resource Kit there is a utility winhttpcertcfg.exe.

List certificate key permissions:
winhttpcertcfg.exe -l -c LOCAL_MACHINE\My -s "certificate.name"

 

Grant permissions to a certificate key:
winhttpcertcfg.exe -g -c LOCAL_MACHINE\My -s "certificate.name" -a WindowsAccount

 

Grant account permissions to run as a Windows service:
Logon as service policy

 

Grant account permissions to run as an ASP.NET application service:
aspnet_regiis -ga WindowsAccount

 

Give WindowsAccount write permissions to C:\Windows\Temp

If the certificate is not in this store and you want to move it there from another location, you must export the certificate and then import it. Do not drag and drop it in the Certificates MMC UI or it won't work.

No comments:

Post a Comment