Set-CryptoKeySecurity throws exception when the only certificate key is AT_SIGNATURE

Create issue
Issue #132 resolved
Ondřej Burišin created an issue

Hi Aaron,

when the certificate keys are only for KeyNumber = AT_SIGNATURE, the function fails with the exception below, although the rights are set in the end. The function fails when instantiating RSACryptoServiceProvider, because the default for KeyNumber is AT_KEYEXCHANGE. What solved the issue was to add this line to Set-CryptoKeySecurity at line 40 after the construction of cspParams:

$cspParams.KeyNumber = $keyContainerInfo.KeyNumber

Exception detail:

Set-CryptoKeySecurity : Failed to grant NT AUTHORITY\NETWORK SERVICE FullControl permission(s) to 'CN=XXX, OU="XXX", O=XXXX, L=XXX, S=XXX, C=XX' (XXX) certificate's private key: System.Security.Cryptography.CryptographicException: Key does not exist. At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Carbon\Security\Grant-Permission.ps1:239 char:17 + Set-CryptoKeySecurity -Certificate $certificate ` + ~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-CryptoKeySecurity

Best regards Ondrej Burisin

Comments (4)

  1. Aaron Jensen repo owner

    How did you generate your certificate? I'd like to generate one that causes this error so I can have a test that verifies I've fixed this.

  2. Aaron Jensen repo owner

    Unfortunately, I was unable to reproduce this error, but I've made the code change anyway. Should be part of the next release of Carbon.

  3. Log in to comment