Score:1

How do I set permissions on a service certificate store?

cz flag

I have a service that requires access to its own certificate store but gets an access denied.

I checked with mmc and the Certificates snapin for the service and the store exists and contains certificates. However, in the snapin I cannot see or set permissions.

I tried dumping the certificates (for a test, later to change permissions) using certutil but I keep getting a FAILED with "The parameter is incorrect". Syntax I use is

certutil -service -store servicename\my

The servicename is my service's name and "my" is correctly identified as the name of the "Personal" store of the service by certutil. I know the store exists since mmc shows it.

What am I doing wrong with certutil?

Score:2
cn flag

I don't think you're able to import certificates into another user's personal store. I would recommend adding it to the machine's store and giving the service user access to the certificates/keys there. You might also try logging on/runas the service user and adding it that way but I've never tried that.

Edit: I have confirmed this after testing, although I am not sure if this is the expected behavior due to poor documentation of certutil. certutil.exe -store -service (StoreName) seems to be the proper syntax to access the certificates under a service store. The service store is located at HKLM\SOFTWARE\Microsoft\Cryptography\Services\(ServiceName)\ in the registry, but certutil inserts the current user's SID instead of the service name when searching like this: HKLM\Software\Microsoft\Cryptography\Services\(SID)\SystemCertificates\, making the search fail. You can override the SID with the -sid parameter, but it doesn't seem to work if you provide the service name. If you look up the service SID with sc.exe showsid (ServiceName) and plug that in, it says "The user name or password is incorrect." It seems that certutil only supports a couple of well-known SIDs (I even tried converting the service SID to its numeric form). If you'd like to replicate my work, you'll need to bust out Procmon.

So, having found that, I am going to assume you can only import certificates if you run certutil under the context of the service. It seems the easiest way to solve your issue would be to either

  1. manually edit the registry
  2. store the certificates in the machine store, and give the service permissions to them
  3. store the certificates in the user store of the user that the service runs as
flashbang avatar
cn flag
Potentially related - https://serverfault.com/questions/450831/remove-a-certificate-from-the-windows-network-service-certificate-store?rq=1
cz flag
No, that't not it. I don't want to import certificates into another user's personal store. (In fact, neither importing nor another user's store are mentioned in the question.) This is about service stores (not service users' stores) which mmc can look at but certutil apparently cannot.
flashbang avatar
cn flag
Hi @AndrewJ.Brehm - I have updated my answer with some research which I believe confirms my original theory.
cz flag
Interesting observations. But how can I run in the context of the service as opposed to the context of the service account?
flashbang avatar
cn flag
Good question, one way I can think of is to use psexec. It seems it supports a `-r` flag which allows you to interact with a service, but that may not work since I think psexec runs as its own service. You could also potentially try something in PowerShell like this: `New-PSDrive MySvcCert -PSProvider Certificate -Root '(ServiceName)\My'` then `cd MySvcCert:` but I've never done that.
SamErde avatar
gg flag
Have you tried using the "well known SID" of the local Administrators group or LOCAL SYSTEM?
flashbang avatar
cn flag
@SturdyErde I tried one of the well-known SIDs it supported (Network Service - 24) and it inserted the full `S-1-5-20` SID. Didn't feel like checking the others, but I'd assume it would be similar. The other two it claims to support are 22 and 23 for Local System/Local Service.
cz flag
Those are still sids for accounts. Here I need access to the service's cert store, not a specific account's (and not the service account's either).
LeeM avatar
cn flag
I realise this is older, but for anyone else's info, instantiating a PSDrive with the cert provider doesn't work with a Service account root - it seems to be using `[system.security.cryptography.x509certificates.storelocation]`, which only has values for `CurrentUser` and `LocalMachine`. https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.storelocation
LeeM avatar
cn flag
Since MS seems to treat `Certutil` as abandonware and isn't fixing the bug or providing a PS alternative, I get around it like this: install the required cert to the LocalMachine store, grant LocalService Read perms, and copy the cert into the Service store location in the registry. To check cert validity and so on, my scripts read the details out of the LocalMachine copy. Another annoyance is that I haven't figured out how to create the Service store the first time without using the Certificates MMC.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.