How to grant an account permissions to access a certificate?

Question

I have a certificate in the MSMQ service Personal store and I need to grant the Network Service the permissions to access the certificate.

The only way that I know of to do it is using the certutil.exe on win2008/7 like so:

certutil -service -service -repairstore MSMQ\My "" D:PAI(A;;GA;;;BA)(A;;GA;;;SY)(A;;GR;;;NS)

(thanks to http://blogs.msdn.com/b/gautamm/archive/2010/10/26/https-messaging-with-client-side-certificate-fails-with-iis-error-403.aspx)

However, certutil on win2003/XP does not recognize the -service parameter, so no good.

My question is how can I do it in a way that works for both Win2003/XP and Win2008/7?

I need a non interactive approach (command line utility, script, COM/.NET/Win32 API).

Answer 1

If you just need to set ACL rights on the certificate's private key (which your linked page suggests), I just recently posted an answer here on how I found to do that.

Open the X509Store and get the current certificate in hand, and then set the ACL on the private key.

You can use something like this to get the SID of the account needing access (or just use the well-known SID S-1-5-20 if you know it's always Network Service):

NTAccount nt = new NTAccount("NT_AUTHORITY", "NetworkService");
SecurityIdentifier sid = (SecurityIdentifier)nt.Translate(typeof(SecurityIdentifier));

My other answer has the code that sets the ACL. (Caveat: I've run it on Windows Server 2003 but not XP.)