Menu
I have a question that (hopefully) someone can shed some light on. I was writing a Powershell script that would import a certificate to the Local Machine store, and assign the Everyone group Read permissions to the private key's on the certificate.
Now, I do have a working script that does accomplish this, but I've noticed that I have an account called "LogonSessionId_0_some-random-number" assigned Read permissions to the ACL on the private keys as shown in the following image:
At first I thought this was my script maybe doing this, but when I manually import the certificate I get the same result.
Has anyone seen this before or know why this is happening? What exactly is this account and why are permissions being assigned? I've tried to search for some answers on this but have come up short.
Not sure if it helps, but this is the portion of my code that imports the certificate and assigns the permissions:
$sslCert = gci Cert:\LocalMachine\My | WHERE {$_.Subject -match $getCerts}
$sslCertPrivKey = $sslCert.PrivateKey
$privKeyCertFile = Get-Item -path "$ENV:ProgramData\Microsoft\Crypto\RSA\MachineKeys\*" | WHERE {$_.Name -eq $sslCertPrivKey.CspKeyContainerInfo.UniqueKeyContainerName}
$privKeyAcl = (Get-Item -Path $privKeyCertFile.FullName).GetAccessControl("Access")
$permission = "Everyone","Read","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$privKeyAcl.AddAccessRule($accessRule)
Set-Acl $privKeyCertFile.FullName $privKeyAcl
I'm using Windows 10 Pro.
Any help/insight is greatly appreciated!
608
Right click on the certificate. Click on Add under Group or usernames section. Add new Users or Groups, then Click OK and Allow appropriate access for newly added Users or Groups.
Private key permissions can be managed by right-clicking a cert in the certificate manager > All Tasks and then click "Manage Private Keys...". Windows User Access Control (UAC) prevents unprivileged users from gaining programmatic access to the private key, even if they are a member of the local administrators group.
u can find the private key under the below location: Locate the "%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" folder. here are several files located in this folder. Each file in this folder corresponds to a key container.
It's because you have different scopes. When you add something at the machine level, by default it gives all users read permissions. Everyone with access to that computer will be able to see the certificate. You don't need to explicitly give users read access for a machine level certificate. It's like when you install some programs they ask "Install for all users?" If you say yes, it installs at the machine level and everyone can use it, otherwise it will install for just you and logging in with a different user means they won't have access.
Comment out the user-specific part of your script to test what I'm saying, you'll notice all users are given read-only and things will work as expected.
75
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
