问
使用PowerShell设置私钥权限
liu100897 发布于 2023-02-07 13:27我有一个PowerShell脚本,可以将pfx证书安装到LocalMachine证书库中.该函数如下所示:
function Add-Certificate {
param
(
[Parameter(Position=1, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$pfxPath,
[Parameter(Position=2, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$pfxPassword
)
Write-Host "Installing certificate" -ForegroundColor Yellow
try
{
$pfxcert = new-object system.security.cryptography.x509certificates.x509certificate2
$pfxcert.Import($pfxPath, $pfxPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", LocalMachine
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite");
$store.Add($pfxcert);
$store.Close();
return $pfxcert
}
catch
{
throw
}
}
当我打开证书管理器以验证安装时,我可以看到它已正确安装.
我的过程的下一步是将证书的权限分配给服务帐户.
function Set-CertificatePermission
{
param
(
[Parameter(Position=1, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$pfxThumbPrint,
[Parameter(Position=2, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$serviceAccount
)
$cert = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object -FilterScript { $PSItem.ThumbPrint -eq $pfxThumbPrint; };
# Specify the user, the permissions and the permission type
$permission = "$($serviceAccount)","Read,FullControl","Allow"
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission;
# Location of the machine related keys
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\";
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName;
$keyFullPath = $keyPath + $keyName;
try
{
# Get the current acl of the private key
# This is the line that fails!
$acl = Get-Acl -Path $keyFullPath;
# Add the new ace to the acl of the private key
$acl.AddAccessRule($accessRule);
# Write back the new acl
Set-Acl -Path $keyFullPath -AclObject $acl;
}
catch
{
throw $_;
}
}
此功能失败.具体来说,当试图评估获取的ACL命令,并出现以下错误此函数失败:获取-ACL:找不到路径"C:\ ProgramData \微软\加密\ RSA\MachineKeys的\ 59f1e969a4f7e5de90224f68bc9be536_1d508f5e-0cbc-4eca-a402-3e55947faa3b "
事实证明密钥文件已安装到我的漫游配置文件C:\用户\ MyUserName输入\应用程序数据\漫游\微软\加密\ RSA\S-1-5-21-1259098847-1967870486-1845911597-155499
我确定添加证书功能有问题,但我无法弄清楚它是什么.如何强制它在C:\ ProgramData\Microsoft\Crypto\RSA\MachineKeys目录中安装密钥文件?
1 个回答
-
问题是当
X509Certificate2通过该Import()方法导入时,X509KeyStorageFlags未配置为将私钥写入计算机的私钥存储.我已更新该功能以包含相应的功能X509KeyStorageFlags.function Add-Certificate { [CmdletBinding()] param ( [Parameter(Position=1, Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$Path, [Parameter(Position=2, Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$Password ) Write-Verbose -Message ('Installing certificate from path: {0}' -f $Path); try { # Create the certificate $pfxcert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ErrorAction Stop; $KeyStorageFlags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable -bxor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bxor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet; Write-Verbose ('Key storage flags is: {0}' -f $KeyStorageFlags); $pfxcert.Import($Path, $Password, $KeyStorageFlags); # Create the X509 store and import the certificate $store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList My, LocalMachine -ErrorAction Stop; $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite); $store.Add($pfxcert); $store.Close(); Write-Output -InputObject $pfxcert; } catch { throw $_; } }2023-02-07 13:29 回答
书友59289474
撰写答案
今天,你开发时遇到什么问题呢?
立即提问
京公网安备 11010802041100号