86 lines
3.0 KiB
PowerShell
86 lines
3.0 KiB
PowerShell
|
function Grant-AclOnCert {
|
||
|
|
<#
|
||
|
|
.SYNOPSIS
|
||
|
|
Set the ACL on a certificate by thumbprint
|
||
|
|
|
||
|
|
.PARAMETER Thumbprint
|
||
|
|
The certificate thumbprint to apply permissions to
|
||
|
|
|
||
|
|
.PARAMETER FriendlyName
|
||
|
|
The certificate friendly name to apply permissions to
|
||
|
|
|
||
|
|
.PARAMETER Identity
|
||
|
|
The user or group to apply privileges to
|
||
|
|
|
||
|
|
.PARAMETER FileSystemRights
|
||
|
|
What rights are being granted
|
||
|
|
|
||
|
|
.PARAMETER AccessControlType
|
||
|
|
AccessControlType of permission to apply. Usually "Allow"
|
||
|
|
|
||
|
|
.PARAMETER StoreName
|
||
|
|
The store where the certificate is found. Most commonly used is 'My'
|
||
|
|
#>
|
||
|
|
[CmdletBinding(DefaultParameterSetName = 'Thumbprint')]
|
||
|
|
param(
|
||
|
|
[Parameter(Mandatory = $true, ParameterSetName = 'Thumbprint', Position = 0)]
|
||
|
|
[psobject]$Thumbprint,
|
||
|
|
[Parameter(Mandatory = $true, ParameterSetName = 'FriendlyName', Position = 0)]
|
||
|
|
[ValidateNotNullOrEmpty()]
|
||
|
|
[string]$FriendlyName,
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[string]$Identity,
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[System.Security.AccessControl.FileSystemRights]$FileSystemRights,
|
||
|
|
[Parameter(Mandatory = $false)]
|
||
|
|
[string]$AccessControlType = "Allow",
|
||
|
|
[Parameter(Mandatory = $false)]
|
||
|
|
[string]$StoreName = "My"
|
||
|
|
)
|
||
|
|
|
||
|
|
$logLead = Get-LogLeadName
|
||
|
|
|
||
|
|
$certs = @()
|
||
|
|
|
||
|
|
if ($PSCmdlet.ParameterSetName -eq 'Thumbprint') {
|
||
|
|
$certs += Get-Item -Path cert:\LocalMachine\$StoreName\$Thumbprint
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($PSCmdlet.ParameterSetName -eq 'FriendlyName') {
|
||
|
|
$certs += (Get-ChildItem -Path cert:\LocalMachine\$StoreName\).Where({$_.FriendlyName -eq $FriendlyName})
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($certs.Count -eq 0) {
|
||
|
|
if ($PSCmdlet.ParameterSetName -eq 'Thumbprint') {
|
||
|
|
Write-Warning "$logLead : No certificate found at path [cert:\LocalMachine\$StoreName\$Thumbprint]"
|
||
|
|
}
|
||
|
|
if ($PSCmdlet.ParameterSetName -eq 'FriendlyName') {
|
||
|
|
Write-Warning "$logLead : No certificate found at path [cert:\LocalMachine\$StoreName] with FriendlyName [$FriendlyName]"
|
||
|
|
}
|
||
|
|
return
|
||
|
|
}
|
||
|
|
|
||
|
|
# This is the known location where these are stored
|
||
|
|
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\"
|
||
|
|
|
||
|
|
foreach ($cert in $certs) {
|
||
|
|
# This is a magic value
|
||
|
|
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
|
||
|
|
|
||
|
|
# Get the full path of where the file should exist
|
||
|
|
$keyFullPath = $keyPath + $keyName
|
||
|
|
|
||
|
|
if ([string]::IsNullOrWhiteSpace($keyName)) {
|
||
|
|
Write-Warning "$logLead : Either the file does not exist at [$keyFullPath] or you don't have permission to get details about this file."
|
||
|
|
return
|
||
|
|
}
|
||
|
|
|
||
|
|
# Get the ACL object so we can add stuff to it
|
||
|
|
$acl = (Get-Item $keyFullPath).GetAccessControl("Access")
|
||
|
|
$permission = $Identity,$FileSystemRights,$AccessControlType
|
||
|
|
$accessRule = New-Object -Type System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
|
||
|
|
$acl.AddAccessRule($accessRule)
|
||
|
|
Set-Acl -Path $keyFullPath -AclObject $acl
|
||
|
|
}
|
||
|
|
}
|