3

I have some build scripts that generates certificates using CertMgr.exe, however I currently have to manually use the MMC snap-in, navigate to the certificate in question, right click it, select all tasks, select manage private keys, and then set the permissions manually. (For now, I just add Everyone and grant full permissions).

So I run the following script and then goto MMC and look for MACHINE-NAME Root CA and then modify the permission manually. How can I modify my script so I don't have to do this manual step?

param([String]$CertName=$env:COMPUTERNAME)

$CertAuthName= $CertName + " Root CA"

Get-ChildItem cert:\ -DNSNAME $($CertAuthName + "*") -Recurse | Remove-Item
Get-ChildItem cert:\ -DNSNAME $($CertName + "*") -Recurse | Remove-Item

Remove-Item $CertName"*"
Remove-Item $CertAuthName"*"

.\makecert.exe -n $("CN="+$CertAuthName) -r -sv $($CertAuthName+".pvk") $($CertAuthName+".cer") >$null 2>&1
.\makecert.exe -crl -n $("CN="+$CertAuthName) -r -sv $($CertAuthName+".pvk") $($CertAuthName+".crl") >$null 2>&1
.\CertMgr.Exe -add -c $($CertAuthName+".cer") -s -r localMachine root >$null 2>&1
.\CertMgr.Exe -add -crl $($CertAuthName+".crl") -s -r localMachine root >$null 2>&1
.\makecert.exe -sk $CERTNAME -n $("CN="+$CERTNAME) $($CERTNAME+".cer") -iv $($CertAuthName+".pvk")  -ic $($CertAuthName+".cer") -sr localmachine -ss my -sky exchange -pe >$null 2>&1
WhiskerBiscuit
  • 4,795
  • 8
  • 62
  • 100
  • What have you tried so far? What errors are you getting? – Bill_Stewart Jan 19 '18 at 22:36
  • There's an answer on this question that contains some powershell code that may solve the problem: https://stackoverflow.com/questions/425688/how-to-set-read-permission-on-the-private-key-file-of-x-509-certificate-from-ne – veefu Jan 20 '18 at 02:09

1 Answers1

2

There is an answer on another thread here: https://stackoverflow.com/a/31175117/85936 that I believe will solve your problem.

veefu
  • 2,820
  • 1
  • 19
  • 29
  • 2
    Using `Set-PrivateKeyPermissions -thumbprint $thumbprint -account Everyone` where $thumbprint contains the thumbprint does the trick. In order to get the thumbprint value use `$cert = Get-ChildItem -path cert:\LocalMachine\My\ | where { $_.subject -eq "CN=" + $CertName }` with the approrpriate value for $CertName and the value is `$cert.thumbprint` – WhiskerBiscuit Jan 29 '18 at 15:43