How do I set permissions on a service certificate store?
Solution 1:
I don't think you're able to import certificates into another user's personal store. I would recommend adding it to the machine's store and giving the service user access to the certificates/keys there. You might also try logging on/runas the service user and adding it that way but I've never tried that.
Edit: I have confirmed this after testing, although I am not sure if this is the expected behavior due to poor documentation of certutil. certutil.exe -store -service (StoreName)
seems to be the proper syntax to access the certificates under a service store. The service store is located at HKLM\SOFTWARE\Microsoft\Cryptography\Services\(ServiceName)\
in the registry, but certutil inserts the current user's SID instead of the service name when searching like this: HKLM\Software\Microsoft\Cryptography\Services\(SID)\SystemCertificates\
, making the search fail. You can override the SID with the -sid
parameter, but it doesn't seem to work if you provide the service name. If you look up the service SID with sc.exe showsid (ServiceName)
and plug that in, it says "The user name or password is incorrect." It seems that certutil only supports a couple of well-known SIDs (I even tried converting the service SID to its numeric form). If you'd like to replicate my work, you'll need to bust out Procmon.
So, having found that, I am going to assume you can only import certificates if you run certutil under the context of the service. It seems the easiest way to solve your issue would be to either
- manually edit the registry
- store the certificates in the machine store, and give the service permissions to them
- store the certificates in the user store of the user that the service runs as