Managing Private Key Access for Certificates in Windows Server 2003
Problem:The Certificates Snap-in for the Microsoft Management Console in Windows Server 2003 does not allow you to "Manage Private Keys...", which makes it impossible to grant user accounts access to a certificate's private key using the Certificates Snap-in.
Solution:The only option to assign the necessary permissions is the WinHttpCertCfg.exe console application that is part of the Windows Server 2003 Resource Kit Tools.
- Open a command prompt to the location where you have installed the Windows Server 2003 Resource Kit Tools.
- We are going to use the winhttpcertcfg.exe utility to view the accounts that already have access to the certificate's private key, and also to grant permissions to additional accounts.
- To view the list of accounts that have access to the certificate's private key, use the following syntax:
- winhttpcertcfg -l -c [Certificate Store Name] -s [The Name of the Certificate]
- Example: winhttpcertcfg -l -c LOCAL_MACHINE\My -s "Named Server Certificate"
- winhttpcertcfg -g -c [Certificate Store Name] -s [The Name of the Certificate] -a [UserName]
- Example: winhttpcertcfg -g -c LOCAL_MACHINE\My -s "Named Server Certificate" -a ADDomain\ADUserName
References:Windows Server 2003 Resource Kit Tools
WinHttpCertCfg.exe, A Certificate Configuration Tool