使用PowerShell设置私钥权限

我有一个PowerShell脚本，它将pfx证书安装到LocalMachine证书存储中。函数如下所示：

function Add-Certificate {
param
(
    [Parameter(Position=1, Mandatory=$true)]
    [ValidateNotNullOrEmpty()]
    [string]$pfxPath,

    [Parameter(Position=2, Mandatory=$true)]
    [ValidateNotNullOrEmpty()]
    [string]$pfxPassword
)

    Write-Host "Installing certificate" -ForegroundColor Yellow

    try 
    {
        $pfxcert = new-object system.security.cryptography.x509certificates.x509certificate2
        $pfxcert.Import($pfxPath, $pfxPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")

        $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", LocalMachine
        $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite");
        $store.Add($pfxcert);
        $store.Close();

        return $pfxcert
    }
    catch 
    {
        throw
    }
}

当我打开证书管理器来验证安装时，我可以看到它已正确安装

我的流程的下一步是将证书的权限分配给服务帐户

function Set-CertificatePermission
{
    param
    (
        [Parameter(Position=1, Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string]$pfxThumbPrint,

        [Parameter(Position=2, Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string]$serviceAccount
    )

    $cert = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object -FilterScript { $PSItem.ThumbPrint -eq $pfxThumbPrint; };

    # Specify the user, the permissions and the permission type
    $permission = "$($serviceAccount)","Read,FullControl","Allow"
    $accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission;

    # Location of the machine related keys
    $keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\";
    $keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName;
    $keyFullPath = $keyPath + $keyName;

    try
    {
        # Get the current acl of the private key
        # This is the line that fails!
        $acl = Get-Acl -Path $keyFullPath;

        # Add the new ace to the acl of the private key
        $acl.AddAccessRule($accessRule);

        # Write back the new acl
        Set-Acl -Path $keyFullPath -AclObject $acl;
    }
    catch
    {
        throw $_;
    }
}

此功能失败。具体而言，此函数在尝试评估Get Acl命令时失败，并出现以下错误：Get Acl:找不到路径“C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\59f1e969a4f7e5de90224f68bc9be536_1d508f5e-0BCC-4eca-a402-3e55947faa3b”

事实证明，密钥文件已安装到我的漫游配置文件C:\Users\MyUserName\AppData\roaming\Microsoft\Crypto\RSA\S-1-5-21-1259098847-1967870486-1845911597-155499

---

我肯定addcertificate函数有问题，但我无法确定它是什么。如何强制它在C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys目录中安装密钥文件？

问题在于通过

Import（）

方法导入

X509Certificate2

时，未将

x509keystrageflags

配置为将私钥写入计算机的私钥存储。我已经更新了该函数，以包含适当的

x509keystrageflags

function Add-Certificate {
    [CmdletBinding()]
    param
    (
        [Parameter(Position=1, Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string]$Path,

        [Parameter(Position=2, Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string]$Password
    )

    Write-Verbose -Message ('Installing certificate from path: {0}' -f $Path);

    try 
    {
        # Create the certificate
        $pfxcert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ErrorAction Stop;
        $KeyStorageFlags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable -bxor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bxor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet;
        Write-Verbose ('Key storage flags is: {0}' -f $KeyStorageFlags);
        $pfxcert.Import($Path, $Password, $KeyStorageFlags);

        # Create the X509 store and import the certificate
        $store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList My, LocalMachine -ErrorAction Stop;
        $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite);
        $store.Add($pfxcert);
        $store.Close();

        Write-Output -InputObject $pfxcert;
    }
    catch 
    {
        throw $_;
    }
}

---

由于windows错误，提供的脚本对我有效（谢谢！），只做了一个更改（请参阅）

以下是更新后的脚本：

---

仅供参考，我知道这并不能解决主要问题，但请尝试。。catch语句将仅捕获PowerShell中的终止错误。大多数cmdlet都会生成非终止错误，因此要将其更改为终止错误，请使用

Get Acl

上的

-ErrorAction

参数，并将值设置为

Stop

。谢谢@TrevorSullivan，我会立即进行更改。非常欢迎您。顺便问一下，您不使用

Import-PfxCertificate

cmdlet有什么原因吗？@TrevorSullivan据我所知，这只在Windows 2012中可用。您运行的是什么版本的Windows和PowerShell？我也在看同样的事情。我遇到的问题是，这会设置文件系统的权限，但不会设置私钥本身的权限（例如，在证书管理器中右键单击证书->所有任务->管理私钥）。知道如何修改吗？只需添加一项：try-catch中的GetAccessControl不是cmdlet，需要放在括号中。否则，看起来很酷：）对于出现并尝试使用此答案的任何人，try catch中带有$acl的行应该如下所示：$acl=（Get Item$keyFullPath）。GetAccessControl（'Access'）我注意到这是授予“Read，FullControl”。什么时候需要包含“完全控制”，什么时候“读取”就足够了？

function Set-CertificatePermission
{
 param
 (
    [Parameter(Position=1, Mandatory=$true)]
    [ValidateNotNullOrEmpty()]
    [string]$pfxThumbPrint,

    [Parameter(Position=2, Mandatory=$true)]
    [ValidateNotNullOrEmpty()]
    [string]$serviceAccount
 )

 $cert = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object -FilterScript { $PSItem.ThumbPrint -eq $pfxThumbPrint; };

 # Specify the user, the permissions and the permission type
 $permission = "$($serviceAccount)","Read,FullControl","Allow"
 $accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission;

 # Location of the machine related keys
 $keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\";
 $keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName;
 $keyFullPath = $keyPath + $keyName;

 try
 {
    # Get the current acl of the private key
    $acl = (Get-Item $keyFullPath).GetAccessControl

    # Add the new ace to the acl of the private key
    $acl.AddAccessRule($accessRule);

    # Write back the new acl
    Set-Acl -Path $keyFullPath -AclObject $acl;
 }
 catch
 {
    throw $_;
 }
}