Hello,
I want to give to the user "Network Service" access to a certificate installed in the LOCAL_MACHINE\Root, but I am having troubles with this.
When I do:
winhttpcertcfg -i C:\cert.pfx -c LOCAL_MACHINE\Root -p password
It does not install the certificate in LOCAL_MACHINE\Root, or it can't be seen through mmc.
When I do:
winhttpcertcfg -i C:\cert.pfx -c LOCAL_MACHINE\Root -a "Network Service" -p password
Installs the certificate but doesn't give access to the user "Network Service" to the installed certificate. Or at least, the user "Network Service" is neither the user which installed the certificate (because I installed with another, an that one is allowed, user "FULLTESP\auv") nor listed in "Additional accounts and groups with access to the private key include:".
After I do:
winhttpcertcfg -g -c LOCAL_MACHINE\Root -s "SecureBlackBox Demo Certificate" -a "Network Service"
winhttpcertcfg -l -c LOCAL_MACHINE\Root -s "SecureBlackBox Demo Certificate"
Then the user "NT AUTHORITY\NETWORK SERVICE" is listed in "Additional accounts and groups with access to the private key include:", so the access granting instruction apparently worked well. But when I try to access the certificate with"Network Service" user (with a program I made), I am getting an error ("Failed to acquire key context") with a component I use, and I think that is a user permission error. I think this because the kind of error and also because I tried the next thing:
As I said, after executing:
winhttpcertcfg -i C:\cert.pfx -c LOCAL_MACHINE\Root -a "Network Service" -p password
The certificate was installed and I can access it with the user which installed it, so that user is listed when I do:
winhttpcertcfg -l -c LOCAL_MACHINE\Root -s "SecureBlackBox Demo Certificate"
Ok, then I do:
winhttpcertcfg -r -c LOCAL_MACHINE\Root -s "SecureBlackBox Demo Certificate" -a "FULLSTEP\auv"
And it tells me that the user "FULLSTEP\auv" has been removed from the private key access. Then I try to access the certificate with that user and I get the same error I got when I tried to access it with the user "Network Service". So that is why I think that is a user permission problem, and more accurately I think that is that the user "Network Service" can't access the private key, although it was listed in "Additional accounts and groups with access to the private key include:". Afterwards, I tried:
winhttpcertcfg -g -c LOCAL_MACHINE\Root -s "SecureBlackBox Demo Certificate" -a "FULLSTEP\auv"
And tells me "Error: Access was not successfully obtained for the private key. This can only be done by the user who installed the certificate"
So I am rounding the next questions:
Is possible to accomplish what I am trying to do? (Access with "Network Service" user to the certificate with its private key, located in LOCAL_MACHINE\Root)
Is "winhttpcertcfg -g" granting access to the certificate, but not to its private key, as I suppose?
Can I somehow give access to the private key of the certificate?
Any idea given will be really helpful.
Thanks,
Ari.
I want to give to the user "Network Service" access to a certificate installed in the LOCAL_MACHINE\Root, but I am having troubles with this.
When I do:
winhttpcertcfg -i C:\cert.pfx -c LOCAL_MACHINE\Root -p password
It does not install the certificate in LOCAL_MACHINE\Root, or it can't be seen through mmc.
When I do:
winhttpcertcfg -i C:\cert.pfx -c LOCAL_MACHINE\Root -a "Network Service" -p password
Installs the certificate but doesn't give access to the user "Network Service" to the installed certificate. Or at least, the user "Network Service" is neither the user which installed the certificate (because I installed with another, an that one is allowed, user "FULLTESP\auv") nor listed in "Additional accounts and groups with access to the private key include:".
After I do:
winhttpcertcfg -g -c LOCAL_MACHINE\Root -s "SecureBlackBox Demo Certificate" -a "Network Service"
winhttpcertcfg -l -c LOCAL_MACHINE\Root -s "SecureBlackBox Demo Certificate"
Then the user "NT AUTHORITY\NETWORK SERVICE" is listed in "Additional accounts and groups with access to the private key include:", so the access granting instruction apparently worked well. But when I try to access the certificate with"Network Service" user (with a program I made), I am getting an error ("Failed to acquire key context") with a component I use, and I think that is a user permission error. I think this because the kind of error and also because I tried the next thing:
As I said, after executing:
winhttpcertcfg -i C:\cert.pfx -c LOCAL_MACHINE\Root -a "Network Service" -p password
The certificate was installed and I can access it with the user which installed it, so that user is listed when I do:
winhttpcertcfg -l -c LOCAL_MACHINE\Root -s "SecureBlackBox Demo Certificate"
Ok, then I do:
winhttpcertcfg -r -c LOCAL_MACHINE\Root -s "SecureBlackBox Demo Certificate" -a "FULLSTEP\auv"
And it tells me that the user "FULLSTEP\auv" has been removed from the private key access. Then I try to access the certificate with that user and I get the same error I got when I tried to access it with the user "Network Service". So that is why I think that is a user permission problem, and more accurately I think that is that the user "Network Service" can't access the private key, although it was listed in "Additional accounts and groups with access to the private key include:". Afterwards, I tried:
winhttpcertcfg -g -c LOCAL_MACHINE\Root -s "SecureBlackBox Demo Certificate" -a "FULLSTEP\auv"
And tells me "Error: Access was not successfully obtained for the private key. This can only be done by the user who installed the certificate"
So I am rounding the next questions:
Is possible to accomplish what I am trying to do? (Access with "Network Service" user to the certificate with its private key, located in LOCAL_MACHINE\Root)
Is "winhttpcertcfg -g" granting access to the certificate, but not to its private key, as I suppose?
Can I somehow give access to the private key of the certificate?
Any idea given will be really helpful.
Thanks,
Ari.