gpt4 book ai didi

powershell - 使用PowerShell设置私钥权限

转载 作者:行者123 更新时间:2023-12-04 01:06:35 28 4
gpt4 key购买 nike

我有一个PowerShell脚本,可将pfx证书安装到LocalMachine证书存储中。该函数如下所示:

function Add-Certificate {
param
(
[Parameter(Position=1, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$pfxPath,

[Parameter(Position=2, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$pfxPassword
)

Write-Host "Installing certificate" -ForegroundColor Yellow

try
{
$pfxcert = new-object system.security.cryptography.x509certificates.x509certificate2
$pfxcert.Import($pfxPath, $pfxPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")

$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", LocalMachine
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite");
$store.Add($pfxcert);
$store.Close();

return $pfxcert
}
catch
{
throw
}
}

当我打开证书管理器以验证安装时,我可以看到它已正确安装。

我过程的下一步是将证书的权限分配给服务帐户。
function Set-CertificatePermission
{
param
(
[Parameter(Position=1, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$pfxThumbPrint,

[Parameter(Position=2, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$serviceAccount
)

$cert = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object -FilterScript { $PSItem.ThumbPrint -eq $pfxThumbPrint; };

# Specify the user, the permissions and the permission type
$permission = "$($serviceAccount)","Read,FullControl","Allow"
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission;

# Location of the machine related keys
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\";
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName;
$keyFullPath = $keyPath + $keyName;

try
{
# Get the current acl of the private key
# This is the line that fails!
$acl = Get-Acl -Path $keyFullPath;

# Add the new ace to the acl of the private key
$acl.AddAccessRule($accessRule);

# Write back the new acl
Set-Acl -Path $keyFullPath -AclObject $acl;
}
catch
{
throw $_;
}
}

此功能失败。具体来说,该函数在尝试评估Get-Acl命令时失败,并显示以下错误: Get-Acl:找不到路径'C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\59f1e969a4f7e5de90224f68bc9be536_1d508f5e-0cbc-4eca-a402- 3e55947faa3b'

事实证明, key 文件已安装到我的漫游配置文件 中C:\Users\MyUserName\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-125905904747-1967870486-1845911597-155499

我确定Add-Certificate函数有问题,但是我无法弄清楚它是什么。如何强制它在C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys目录中安装 key 文件?

最佳答案

问题是,当通过X509Certificate2方法导入Import()时,没有配置X509KeyStorageFlags将私钥写入计算机的私钥存储中。我已经更新了函数,以包括适当的X509KeyStorageFlags

function Add-Certificate {
[CmdletBinding()]
param
(
[Parameter(Position=1, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$Path,

[Parameter(Position=2, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$Password
)

Write-Verbose -Message ('Installing certificate from path: {0}' -f $Path);

try
{
# Create the certificate
$pfxcert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ErrorAction Stop;
$KeyStorageFlags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable -bxor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bxor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet;
Write-Verbose ('Key storage flags is: {0}' -f $KeyStorageFlags);
$pfxcert.Import($Path, $Password, $KeyStorageFlags);

# Create the X509 store and import the certificate
$store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList My, LocalMachine -ErrorAction Stop;
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite);
$store.Add($pfxcert);
$store.Close();

Write-Output -InputObject $pfxcert;
}
catch
{
throw $_;
}
}

关于powershell - 使用PowerShell设置私钥权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/20852807/

28 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com