Managing Private Key Access for Certificates in Windows Server 2003
Problem:
The Certificates Snap-in for the Microsoft Management Console in Windows Server 2003 does not allow you to "Manage Private Keys...", which makes it impossible to grant user accounts access to a certificate's private key using the Certificates Snap-in.Solution:
The only option to assign the necessary permissions is the WinHttpCertCfg.exe console application that is part of the Windows Server 2003 Resource Kit Tools.- Open a command prompt to the location where you have installed the Windows Server 2003 Resource Kit Tools.
- We are going to use the winhttpcertcfg.exe utility to view the accounts that already have access to the certificate's private key, and also to grant permissions to additional accounts.
- To view the list of accounts that have access to the certificate's private key, use the following syntax:
- winhttpcertcfg -l -c [Certificate Store Name] -s [The Name of the Certificate]
- Example: winhttpcertcfg -l -c LOCAL_MACHINE\My -s "Named Server Certificate"
- To grant an additional account access to the certificate's private key, use the following syntax:
- winhttpcertcfg -g -c [Certificate Store Name] -s [The Name of the Certificate] -a [UserName]
- Example: winhttpcertcfg -g -c LOCAL_MACHINE\My -s "Named Server Certificate" -a ADDomain\ADUserName
- After granting the permissions that are required, you can immediately re-issue the command to list the accounts that have access. The result should now contain the account(s) you added in step 4.
References:
Windows Server 2003 Resource Kit ToolsWinHttpCertCfg.exe, A Certificate Configuration Tool