For the most part, Windows users and administrators don’t ever have to worry about how or where their private keys are stored.
After all, your private key is yours, and it’s private. You request it to be generated, and then you don’t need to touch it, it’s already in your store – somewhere.
But every now and again, there’s a reason to do so – the classic example being when you want to run a service under its own account (because you don’t want to use “SYSTEM”, or worse, the user account of a real person). When you need to do this – whether it’s an AD-AM instance, or an FTP server that works over SSL / TLS – you will need to import the key into the machine store, and then make it readable by the service account.
Previously, I would have recommended using the WinHttpCertCfg tool from Microsoft’s download site – despite its rather particular sounding name, the basic point of this tool is to (import and) assign access rights to a certificate for a particular user. Exactly what you need to do.
Lately, though, I’ve come across another tool that has a big advantage over WinHttpCertCfg. You see, as a developer, when I see a tool that does something I can’t figure out for myself, I ask “how did they do that?” Whenever I see a KB article that says “Application A can’t do this, but Application B can”, I ask “and how does it do that? How can I do that?”
WinHttpCertCfg is like magic powder – you sprinkle it on, and it does what it’s supposed to do. But you’re none the wiser as to what it’s doing. Wouldn’t it be better if there was a tool with source code?
Now, there is.
It’s a very tiny part of the Windows Communications Framework and Windows CardSpace Samples download, and it’s called FindPrivateKey. It’s a simple executable, based on a simple C# source, with something approaching five lines of actual heavy lifting. Reading the C# source will tell even a relatively average programmer what’s going on here, and could come in handy with any future projects where you may need to trace your private keys.
Uh… except when it comes to Vista, because the keys have moved. Ah, but you’re all smart little security geeks, and know that in Vista, you can assign ACLs directly from the Certificate Manager:
You did already know that, didn’t you? Honestly, that’s such a cool feature, it makes me want Vista at my work place NOW.