Thursday, June 14, 2012

Managing Private Key Access for Certificates in Windows Server 2003

Managing Private Key Access for Certificates in Windows Server 2003

Problem:

The Certificates Snap-in for the Microsoft Management Console in Windows Server 2003 does not allow you to "Manage Private Keys...", which makes it impossible to grant user accounts access to a certificate's private key using the Certificates Snap-in.

Solution:

The only option to assign the necessary permissions is the WinHttpCertCfg.exe console application that is part of the  Windows Server 2003 Resource Kit Tools.

  1. Open a command prompt to the location where you have installed the Windows Server 2003 Resource Kit Tools.
  2.  We are going to use the winhttpcertcfg.exe utility to view the accounts that already have access to the certificate's private key, and also to grant permissions to additional accounts.
  3. To view the list of accounts that have access to the certificate's private key, use the following syntax:
    • winhttpcertcfg -l -c [Certificate Store Name] -s [The Name of the Certificate] 
    • Example: winhttpcertcfg -l -c LOCAL_MACHINE\My -s "Named Server Certificate"
  4. To grant an additional account access to the certificate's private key, use the following syntax:
    • winhttpcertcfg -g  -c [Certificate Store Name] -s [The Name of the Certificate] -a [UserName]
    • Example: winhttpcertcfg -g -c LOCAL_MACHINE\My -s "Named Server Certificate" -a ADDomain\ADUserName
  5. After granting the permissions that are required, you can immediately re-issue the command to list the accounts that have access. The result should now contain the account(s) you added in step 4.

References:

Windows Server 2003 Resource Kit Tools
WinHttpCertCfg.exe, A Certificate Configuration Tool