milesgratz/Update-machine-certificate-private-key-permissions.ps1

## Update-machine-certificate-private-key-permissions.ps1
# Get cert on local computer by thumbprint
$thumbprint = '89D3FC64B6405E161EDC7A4CF14E111F5F6895AA'
$Cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq $thumbprint }

###################################################
# Manage private key of CAPI cert
###################################################

# Find private key
$privKey = $Cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$keyPath = "$($env:ProgramData)\Microsoft\Crypto\RSA\MachineKeys\"
$privKeyPath = (Get-Item "$keyPath\$privKey")

# Update ACL to allow "READ" permissions from "NT AUTHORITY\NETWORK SERVICE"
$Acl = Get-Acl $privKeyPath
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("NETWORK SERVICE", "Read", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $privKeyPath.FullName $Acl

###################################################
# Manage private key of CNG cert
###################################################

# Find CNG (rsa) private key
$privKey = ([System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Cert)).key.UniqueName
$keyPath = "$($env:ProgramData)\Microsoft\Crypto\Keys\"
$privKeyPath = (Get-Item "$keyPath\$privKey")

# Update ACL to allow "READ" permissions from "NT AUTHORITY\NETWORK SERVICE"
$Acl = Get-Acl $privKeyPath
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("NETWORK SERVICE", "Read", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $privKeyPath.FullName $Acl
	# Get cert on local computer by thumbprint
	$thumbprint = '89D3FC64B6405E161EDC7A4CF14E111F5F6895AA'
	$Cert = Get-ChildItem Cert:\LocalMachine\My \| Where-Object { $_.Thumbprint -eq $thumbprint }

	###################################################
	# Manage private key of CAPI cert
	###################################################

	# Find private key
	$privKey = $Cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
	$keyPath = "$($env:ProgramData)\Microsoft\Crypto\RSA\MachineKeys\"
	$privKeyPath = (Get-Item "$keyPath\$privKey")

	# Update ACL to allow "READ" permissions from "NT AUTHORITY\NETWORK SERVICE"
	$Acl = Get-Acl $privKeyPath
	$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("NETWORK SERVICE", "Read", "Allow")
	$Acl.SetAccessRule($Ar)
	Set-Acl $privKeyPath.FullName $Acl

	###################################################
	# Manage private key of CNG cert
	###################################################

	# Find CNG (rsa) private key
	$privKey = ([System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Cert)).key.UniqueName
	$keyPath = "$($env:ProgramData)\Microsoft\Crypto\Keys\"
	$privKeyPath = (Get-Item "$keyPath\$privKey")

	# Update ACL to allow "READ" permissions from "NT AUTHORITY\NETWORK SERVICE"
	$Acl = Get-Acl $privKeyPath
	$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("NETWORK SERVICE", "Read", "Allow")
	$Acl.SetAccessRule($Ar)
	Set-Acl $privKeyPath.FullName $Acl