Minimal permissions to import a LocalMachine certificate in Windows (Server)

I'm looking into the minimal permissions required to import a certificate into a particular local machine store.

The best information I can find is on Working with Certificates, where it says:

Stores are protected by access control lists (ACLs), just like folders on a computer.

But I can't find any information on how to modify the ACL list of a store. The best I can find relates to individual certificates, but that's not what I'm after.

What I've tried so far is attempting to find a UI via the MMC interface, and attempting to use Get/Set-Acl Cmdlets with cert:\LocalMachine\WebHosting. The former found nothing, and the latter fails saying that the folder doesn't support ACLs.

Any thoughts?


Solution 1:

It turns out that Certificate Stores are primarily registry-based (the PKs are stored on disk, but no special access is required so it can be ignored), and make use of registry ACLs for access.

The local machine certificates are all stored under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\

I also discovered that it's not possible to grant "Write, but not delete" access as even the native APIs used by X509Store.Open(ReadWrite) will fail if it's not set.

Below is a script that can be used to grant access to import certificates to the "Web Hosting" store:

$username = "SomeNonAdminUser"
$acl = Get-Acl HKLM:\SOFTWARE\Microsoft\SystemCertificates\WebHosting

$rule = $acl.Access | ?{ $_.IdentityReference -like "*\$username" }

if ($rule)
{
    $rule | %{ $acl.RemoveAccessRule($_) | Out-Null }
}

$rule = New-Object System.Security.AccessControl.RegistryAccessRule `
    $username, `
    [System.Security.AccessControl.RegistryRights]"CreateSubKey, ReadKey, SetValue, Delete", `
    [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit", `
    [System.Security.AccessControl.PropagationFlags]"None", `
    "Allow"

$acl.AddAccessRule($rule)

$acl | Set-Acl