xsolon · November 4, 2017 14:34
diff --git a/pfx_acl.ps1 b/pfx_acl.ps1
 $friendlyName = 'cert friendly name'

 $location = 'Cert:\LocalMachine\my';

 #get cert by friendly name
 $cert = Get-ChildItem -Path $location | Where { $_.FriendlyName -eq $friendlyName};

 #location of pfx on file system
 $keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
 $keyPath =  [System.IO.Path]::Combine("$env:ProgramData\Microsoft\Crypto\RSA\MachineKeys\",$keyName)

 $userName = "IIS AppPool\services"
 #icacls $keyPath /grant "$userName`:(F)"

 $acl = Get-Acl $keyPath
 $ar = New-Object  system.security.accesscontrol.filesystemaccessrule($userName,"FullControl","None", "None", "Allow")
 $acl.SetAccessRule($ar)
 Set-Acl $keyPath $acl
	$friendlyName = 'cert friendly name'

	$location = 'Cert:\LocalMachine\my';

	#get cert by friendly name
	$cert = Get-ChildItem -Path $location \| Where { $_.FriendlyName -eq $friendlyName};

	#location of pfx on file system
	$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
	$keyPath = [System.IO.Path]::Combine("$env:ProgramData\Microsoft\Crypto\RSA\MachineKeys\",$keyName)

	$userName = "IIS AppPool\services"
	#icacls $keyPath /grant "$userName`:(F)"

	$acl = Get-Acl $keyPath
	$ar = New-Object system.security.accesscontrol.filesystemaccessrule($userName,"FullControl","None", "None", "Allow")
	$acl.SetAccessRule($ar)
	Set-Acl $keyPath $acl