none
Certificates deployed through GPO lacking private key permissions

    Question

  • Hello,

    I successfully deployed certificate with private key to 'LocalMachine\Trusted People' store and UI showing that I have private key for certificate. 

    If I get properties of this certificate it's showing that it has PrivateKey, yet not returning actual Private Key object. Importing the same certificate directly into machine through MMC works fine and provides access to PrivateKey

    PSPath                   : Microsoft.PowerShell.Security\Certificate::Localmachine\TrustedPeople\E098AE75AA72D21A586A4A
                               BC1B586491FF141841
    PSParentPath             : Microsoft.PowerShell.Security\Certificate::Localmachine\TrustedPeople
    PSChildName              : E098AE75AA72D21A586A4ABC1B586491FF141841
    PSDrive                  : Cert
    PSProvider               : Microsoft.PowerShell.Security\Certificate
    PSIsContainer            : False
    EnhancedKeyUsageList     : {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)}
    DnsNameList              : {Company.Automation}
    SendAsTrustedIssuer      : False
    EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
    EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
    PolicyId                 : 
    Archived                 : False
    Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, 
                               System.Security.Cryptography.Oid}
    FriendlyName             : GPO Provided
    IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter                 : 11/23/2025 2:02:56 PM
    NotBefore                : 11/23/2015 1:52:57 PM
    HasPrivateKey            : True
    PrivateKey               : 
    PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
    RawData                  : {48, 130, 3, 18...}
    SerialNumber             : 1D898F6A29528AA848C5901BB3E0FF4F
    SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm       : System.Security.Cryptography.Oid
    Thumbprint               : E098AE75AA72D21A586A4ABC1B586491FF141841
    Version                  : 3
    Handle                   : 730070565744
    Issuer                   : CN=Company.Automation
    Subject                  : CN=Company.Automation
    

    CAPI2 has following error

    + System 
    
      - Provider 
    
       [ Name]  Microsoft-Windows-CAPI2 
       [ Guid]  {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb} 
     
       EventID 70 
     
       Version 0 
     
       Level 2 
     
       Task 70 
     
       Opcode 0 
     
       Keywords 0x4000000000000080 
     
      - TimeCreated 
    
       [ SystemTime]  2015-11-25T01:47:21.608944100Z 
     
       EventRecordID 2 
     
       Correlation 
     
      - Execution 
    
       [ ProcessID]  15432 
       [ ThreadID]  12064 
     
       Channel Microsoft-Windows-CAPI2/Operational 
     
       Computer DNVWEBSCOM1.prod.company.com 
     
      - Security 
    
       [ UserID]  S-1-5-21-246108663-1456017983-1738939233-1190 
     
    
    - UserData 
    
      - CryptAcquireCertificatePrivateKey 
    
      - Certificate 
    
       [ fileRef]  E098AE75AA72D21A586A4ABC1B586491FF141841.cer 
       [ subjectName]  Company.Automation 
     
      - Flags 
    
       [ value]  10080 
       [ CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG]  true 
     
      - EventAuxInfo 
    
       [ ProcessName]  certutil.exe 
     
      - CorrelationAuxInfo 
    
       [ TaskId]  {7554D442-0639-4823-9DAB-23A277D5CA81} 
       [ SeqNumber]  2 
     
      + Result Keyset does not exist 
    
       [ value]  80090016 
     
     



    Tuesday, November 24, 2015 10:33 PM

Answers

All replies

  • Hi Artisticcheese,

    Thanks for your post.

    As far as I know, in TrustedPeople, Certificate store for other people and resources that you trust. It isn't recommended to deploy private key in Trusted People or it may exist security problem. Since if you have oher's private key, it is not private. So I'm not sure if your error is related for deploying PrivateKey in TrustedPeople.

    https://technet.microsoft.com/en-us/library/cc776447(v=ws.10).aspx

    And you could also confirm in security Forum.

    Thanks for your support and understanding.

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 25, 2015 8:29 AM
    Moderator
  • I need to deploy certificate with private key to all computers in my domain. Where am I supposed to put it? I tried to put it into different containers but it never imported into client computers with private key (despite the fact that in UI certificate is showing that it has private key). Is it possible in general to distribute certificate to client computers with private key attached through GPO?
    Wednesday, November 25, 2015 12:58 PM
  • Hi artisticcheese,

    Thanks for your reply.

    As far as I know, there's no such group policy to deploy CA  with own private keys. It is usually use group policy  to deploy Client Computer Certificates with Public key. Which in computer configuration,  Security Settings, and then Public Key Policies

    https://technet.microsoft.com/en-us/library/cc731242%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 26, 2015 6:06 AM
    Moderator