Set ACL on private key in HSM

  acl, cng, windows

On Windows Server A, we can generate a key in an HSM, and make it available to AD CS. The key is used to generate a CSR, which is signed by a public CA, and imported into the cert store on the same host. Can use certutil -repairstore to link the signed cert to the private key, and use the key for signing artifacts.

The problem is that the private key resource has an ACL on it, and if we move to a Server N, and try to use the signing key in the HSM, there is a permissions error event due to the ACL on the key not recognizing the environment from which it is being accessed.

It seems that the powershell tools Get-Acl and Set-Acl (called on Server A) would work to change the ACL, but I lack knowledge of what params are required, what should go into the parameters, and how that information should be formatted. That said, the doc for Get-Acl says

Because Get-Acl is supported by the file system and registry providers, you can use Get-Acl to view the ACL of file system objects, such as files and directories, and registry objects, such as registry keys and entries.

(text in italics highlighted by me)

So, is Get-Acl correct? or is there something else that will work?

If anyone has done this, can we get some guidance?

There is a key in the HSM:

------------------------------------------------------------

Provider          : Utimaco CryptoServer Key Storage Provider
Device            : [email protected]
Group             : utimaco
Mode              : Internal Key Storage

------------------------------------------------------------

Index  AlgId        Size   Group            Name                             Spec
---------------------------------------------------------------------------------
1      RSA          2048   utimaco          testacl                          0

Get-Acl -inputobject might give me access to the object, but how to format that in a way that InputObject is happy with?

Thank you for any hints. Would happily accept "won’t work" if you include a "do this instead". Will unhappily accept won’t work if that’s all you say 🙂

Source: Windows Questions

LEAVE A COMMENT