HOW TO GET THE THUMBPRINT OF A CERTIFICATE AND ADD PERMISSIONS FOR A PARTICULAR USER

Hey guys…Say you want to get the unique Thumbprint of a certificate. How do you get it?

The only info you need to have about the certificate is the FriendlyName which is provided while creating the certificate. Lets say the FriendlyName for the certificate is MyCert. The below lines of code will get the certificate’s thumbprint.

$getCert = Get-ChildItem -Recurse Cert: | Where-Object {$_.FriendlyName -eq "MyCert"}
$certHash = $getCert.Thumbprint

Say you have installed a certificate which has to be used by some service. And say NETWORK SERVICE account runs that service. So when this service tries accessing the certificate, it will check if the certificate have access permissions for “NETWOR SERVICE” account. If not, then the service won’t be able to access the certificate and will fail.

So, we need to provide access permission to NETWORK SERVICE (it may be some other account/user, depending on the need) to be able to access the details of the certificate.

Now to give permissions to a particular user account to access (say read only access) this certificate then you need to modify the encrypted Private Key file corresponding to this certificate. All the files for the certificates are located under the following location:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\

Now, there are many files (if you have many certificates installed on your machine) in the above location. So how do we get the file for a particular certificate?

It’s pretty easy….we can use the Thumbprint (use the code discussed above to get the thumbprint) of that particular certificate as a filter. Below is the code to add READ permissions for the user “NT AUTHORITY\NETWORK SERVICE

$keyName=(((Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -like $Thumbprint}).PrivateKey).CspKeyContainerInfo).UniqueKeyContainerName
$keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\"
$fullPath=$keyPath+$keyName
$acl=Get-Acl -Path $fullPath
$permission="NT AUTHORITY\NETWORK SERVICE","Read","Allow"
$accessRule=new-object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.AddAccessRule($accessRule)
Set-Acl $fullPath $acl

Cheers,
Maninder