Comments (4)
I wrote a module for this issue, https://github.com/twerthi/xCertificatePermission
from certificatedsc.
Hi @plraustin - this is a really good question.
There isn't currently a resource that can be used to assign access to private keys to other local or domain accounts. This does seem like a good idea for a resource and wouldn't be too difficult to implement (based on the work I'm currently doing).
But in the meant time, you could use xScript to do this fairly easily.
Are you importing the certificate with xCertificateImport or are you requesting it using xCertReq?
from certificatedsc.
I build for my use this (ugly) workaround:
Script Certicate
{
GetScript = {
$store = "My"
$thumbprint = "xxxx"
$cert = Get-ChildItem "Cert:\LocalMachine\$store" | where {$_.Thumbprint -like $thumbprint}
$path = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\$($cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName)"
@{Result = $path }
}
TestScript = {
$store = "My"
$thumbprint = "xxxx"
$userName = "IIS AppPool\DefaultAppPool"
$cert = Get-ChildItem "Cert:\LocalMachine\$store" | where {$_.Thumbprint -like $thumbprint}
$path = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\$($cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName)"
$acl = get-acl $path
($acl.Access | Where {$_.IdentityReference -eq $userName}) -ne $null
}
SetScript = {
$store = "My"
$thumbprint = "xxxx"
$userName = "IIS AppPool\DefaultAppPool"
$cert = Get-ChildItem "Cert:\LocalMachine\$store" | where {$_.Thumbprint -like $thumbprint}
$path = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\$($cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName)"
$acl = get-acl $path
$rule = new-object security.accesscontrol.filesystemaccessrule $userName, "Read", allow
$acl.AddAccessRule($rule)
set-acl $path $acl
}
}
from certificatedsc.
As per my experience, current powershell implementation cannot be used to import a PFX certificate and then assign permissions. As this DSC module is using the standard PS mechanism is affected too.
My current alternative is not to use the DSC module to import a certificate where I need special rights. See this example implementation using other .Net classes. See this blogpost for more technical details.
Configuration ImportPfxCertificate {
param(
[PSCredential] $AdminCreds,
[String] $CertificateFile,
[String] $ThumbPrint,
[String] $PrivateKeyPwd,
[String] $CertUserName
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Script InstallPfxCert
{
Getscript = {
$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store -Argumentlist "My", LocalMachine
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$cert = $Store.Certificates | Where Thumbprint -eq $using:thumbprint
$Store.Close()
@{Result = $cert }
}
TestScript = {
$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store -Argumentlist "My", LocalMachine
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$cert = $Store.Certificates | Where Thumbprint -eq $using:thumbprint
$Store.Close()
$cert -ne $null
}
SetScript = {
$pwd = ConvertTo-SecureString $using:PrivateKeyPwd -AsPlainText -Force
$flags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($using:CertificateFile, $pwd, $flags)
$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store -Argumentlist "MY", LocalMachine
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
}
PsDscRunAsCredential = $AdminCreds
Dependson = "[xRemoteFile]SpPfxCertFile"
}
Script SetCerticatePermission
{
GetScript = {
$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store -Argumentlist "MY", LocalMachine
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$cert = $Store.Certificates | Where Thumbprint -eq $using:thumbprint
$Store.Close()
$path = "$($env:ProgramData)\Microsoft\Crypto\RSA\MachineKeys\$($cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName)"
@{Result = $path }
}
TestScript = {
$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store -Argumentlist "MY", LocalMachine
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$cert = $Store.Certificates | Where Thumbprint -eq $using:thumbprint
$Store.Close()
$path = "$($env:ProgramData)\Microsoft\Crypto\RSA\MachineKeys\$($cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName)"
$acl = get-acl $path
($acl.Access | Where {$_.IdentityReference -eq $using:CertUserName}) -ne $null
}
SetScript = {
$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store -Argumentlist "MY", LocalMachine
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$cert = $Store.Certificates | Where Thumbprint -eq $using:thumbprint
$Store.Close()
$PKFile = Get-ChildItem "$env:ProgramData\Microsoft\Crypto\RSA\MachineKeys\$($cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName)"
$PKAcl = $PKFile.GetAccessControl("Access")
$ReadAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($using:CertUserName, [System.Security.AccessControl.FileSystemRights]::Read, [System.Security.AccessControl.AccessControlType]::Allow)
$PKAcl.AddAccessRule($ReadAccessRule)
Set-Acl $PKFile.FullName $PKAcl
}
DependsOn = "[Script]InstallPfxCert"
}
}
from certificatedsc.
Related Issues (20)
- Rename master branch to main
- Test-TargetResource fails if server language is not English (Get-CertificateTemplateInformation) HOT 1
- PfxImport & CertificateImport: Add base64 content parameter for PFX and certificate import resources HOT 6
- Remove non-mandatory parameters from Get-TargetResource
- Update GitVersion.yml to use latest pattern
- INF file format is wrong HOT 1
- DSC_PfxImport:'Import-PfxCertificateEx' function handles private keys differently then 'Import-PfxCertificate' cmdlet HOT 3
- Tests failing: New-SelfSignedCertificateEx from Script Center is no longer available
- Update Sampler Build Tasks
- Enable Code Coverage Reporting
- PfxImport: Cannot find an overload for "Import" and the argument count: "2" HOT 1
- PfxImport: Keys prevent multiple imports to different locations HOT 1
- When using content option on PfxImport with certificate twice in pfx private key gets lost HOT 1
- Update Azure DevOps Pipeline Images
- Update CI Pipeline Files from Latest Pattern
- Convert to class-based resources
- Convert tests to Pester 5
- Add support to export Cert as Base64 with CredentialExport HOT 2
- CertReq resource cannot request multiple certificates with same subject name HOT 2
- DSC_CertReq failed to execute Set-TargetResource functionality with error message: Cannot add type. The type name 'Source.NativeMethods' already exists
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certificatedsc.