Set-CryptoKeySecurity throws exception when the only certificate key is AT_SIGNATURE

Issue #132 resolved
Ondřej Burišin
created an issue

Hi Aaron,

when the certificate keys are only for KeyNumber = AT_SIGNATURE, the function fails with the exception below, although the rights are set in the end. The function fails when instantiating RSACryptoServiceProvider, because the default for KeyNumber is AT_KEYEXCHANGE. What solved the issue was to add this line to Set-CryptoKeySecurity at line 40 after the construction of cspParams:

$cspParams.KeyNumber = $keyContainerInfo.KeyNumber

Exception detail:

Set-CryptoKeySecurity : Failed to grant NT AUTHORITY\NETWORK SERVICE FullControl permission(s) to 'CN=XXX, OU="XXX", O=XXXX, L=XXX, S=XXX, C=XX' (XXX) certificate's private key: System.Security.Cryptography.CryptographicException: Key does not exist. At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Carbon\Security\Grant-Permission.ps1:239 char:17 + Set-CryptoKeySecurity -Certificate $certificate ` + ~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-CryptoKeySecurity

Best regards Ondrej Burisin

Comments (4)

  1. Log in to comment