MMC console - certificate private key handling

3.4k views Asked by At

We have an application that needs to access the private key of a certificate. We also have have a Nightlybuild that sets the certificate up (imports it from a pfx file using certmgr). This works really fine as long as the setup of the certificate and the access of the certificate runs under the same logged in Windows user (Windows7).

Now, we would like to introduce a test (that is executed during the Nightlybuild automatically) where another user will invoke the program that needs to access the private key of the certificate and I am struggling with the MMC console -> All Tasks -> Manage Private Keys.

For me it looks like I can change anything in the security settings of "Manage Private keys", but it does not have anything to do with the real ACLs of the certificate. I could reduce the problem to the following manual steps:

  1. User1 imports the certificate into "Local Computer/My" (correct CA in root exists)
  2. User1 selects the certificate in MMC, clicks on "Manage Private Keys" and adds "Users" (group) and "User2" (user) with Full Control permissions.
  3. User1 logs out
  4. User2 logs in
  5. User2 opens MMC, clicks on "Manage Private Keys" --> Error, the MMC console displays "Cannot find the certificate and private key for decryption."

Although User2 should have access to the private key. So it seems to me that the settings of User1 (both, User1 and User2 are in the Administrators group) in MMC have no meaning whatsoever and are ignored by the .NET API that accesses the private key?

Does anybody have any idea why this is so and how I can try to persuade Windows that we really want two users to be able to read the private key of a certificate?

Thanks for any help Michael

1

There are 1 answers

0
firedfly On

I just ran into this same issue. I was trying to use a code signing certificate as a user that did not import the certificate on the system. When the certificate was originally imported, it was not imported so that the private keys could be exported.

I was able to fix our issue by:

  1. Deleting the existing certificate from the certificate store
  2. Importing the certificate again while making sure it allows exporting of the private keys
  3. Use Manage Private Keys to set the permissions so the second user can access the private keys

After these steps my second user was able to use the code signing certificate properly.