Details of the scenario you tried and the problem that is occurring
I need to allow a machine certificate's private key to be read by certain users in a development environment.
Since Certificates are a PowerShell path, and have access rules, I thought this resource would work.
Currently I am using:
Import-Module GuardedFabricTools
$certificate = Get-ChildItem "Cert:\LocalMachine\${CertStoreLocation}\${CertFingerprint}"
#$certificate.Acl = $certificate.Acl | Add-AccessRule "${UserName}" Read Allow
$acl = $certificate.Acl
$newFileSystemAccessRuleParameters = @{
TypeName = 'System.Security.AccessControl.FileSystemAccessRule'
ArgumentList = @(
"${UserName}",
[System.Security.AccessControl.FileSystemRights] @('Read'),
'None',
'None',
'Allow'
)
}
$fileSystemAccessRule = New-Object @newFileSystemAccessRuleParameters
$acl.SetAccessRule($fileSystemAccessRule)Verbose logs showing the problem
Method invocation failed because [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named
'GetAccessControl'.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : MethodNotFound
+ PSComputerName : localhost
Suggested solution to the issue
- Depend on GuardedFabricTools
- Update the
Get-ACLAccess function to also check if .Acl is available if .GetAccessControl('Access') fails, and use that instead.
- Handle if
System.Security.AccessControl.InheritanceFlags are not valid for an object.
$certificate.Acl is a "System.Security.AccessControl.FileSystemSecurity". Which is the same type as returned by .GetAccessControl('Access').
The DSC configuration that is used to reproduce the issue (as detailed as possible)
FileSystemAccessRule Cert {
Identity = $ConfigurationData.Credentials.UserName
Path = "Cert:\LocalMachine\${CertStoreLocation}\${CertFingerprint}"
Rights = "Read"
Ensure = [Ensure]::Present
}The operating system the target node is running
OsName : Microsoft Windows 10 Enterprise LTSC
OsOperatingSystemSKU : 125
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage : en-US
OsMuiLanguages : {en-US}
Version and build of PowerShell the target node is running
Name Value
PSVersion 5.1.19041.5129
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.5129
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Version of the DSC module that was used
1.1.1
Details of the scenario you tried and the problem that is occurring
I need to allow a machine certificate's private key to be read by certain users in a development environment.
Since Certificates are a PowerShell path, and have access rules, I thought this resource would work.
Currently I am using:
Verbose logs showing the problem
Suggested solution to the issue
Get-ACLAccessfunction to also check if.Aclis available if.GetAccessControl('Access')fails, and use that instead.System.Security.AccessControl.InheritanceFlagsare not valid for an object.$certificate.Aclis a "System.Security.AccessControl.FileSystemSecurity". Which is the same type as returned by.GetAccessControl('Access').The DSC configuration that is used to reproduce the issue (as detailed as possible)
FileSystemAccessRule Cert { Identity = $ConfigurationData.Credentials.UserName Path = "Cert:\LocalMachine\${CertStoreLocation}\${CertFingerprint}" Rights = "Read" Ensure = [Ensure]::Present }The operating system the target node is running
OsName : Microsoft Windows 10 Enterprise LTSC
OsOperatingSystemSKU : 125
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage : en-US
OsMuiLanguages : {en-US}
Version and build of PowerShell the target node is running
Name Value
PSVersion 5.1.19041.5129
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.5129
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Version of the DSC module that was used
1.1.1