Setting Private Key permissions for a Certificate in Win Server 2008

Question

When creating a certificate with makecert on Windows Server 2003, I'd have to set the permissions on the private key to be accessible to NETWORK SERVICE so that the private key could be read by the WCF service. I could access the file by navigating to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. Once I set read permissions for NETWORK SERVICE, everything worked fine.

I'm looking at Windows Server 2008, and can't find a similar locaiton in C:\Users or anywhere else. What is the proper mechanism for setting permissions to the private key? Where are they located? I'm using makecert to directly install it to TrustedPeople / localmachine

Answer 1

Looks like the tool to use here is WinHttpCertCfg.exe. This is the cleaner way to set permissions on a certificate private key than the method I described above. My guess is that in Windows 2008 and beyond, MS decided to hide the keys in a more discrete location.

I used WinHttpCertCfg to set the permissions. Here's an example command to grant read permissions to NETWORK SERVICE for a cert named MyCert01 in LOCAL_MACHINE\TrustedPeople.

winhttpcertcfg.exe -g -c LOCAL_MACHINE\TrustedPeople -s MyCert01 -a "NETWORK SERVICE"