Skip to content

Support setting certificate permissions for the modern Key Storage Provider #1675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
farhanalam wants to merge 4 commits into
base: master
Choose a base branch
from
+3 −3
Open

Support setting certificate permissions for the modern Key Storage Provider #1675

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4df0f6e
formatting
farhanalam Apr 9, 2026
6ed2892
Reduced nesting
farhanalam Apr 9, 2026
995908e
Support Key Storage Provider
farhanalam Apr 9, 2026
59d2313
updated metadata
farhanalam Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions step-templates/windows-certificate-grant-read-access.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
"Name": "Windows - Certificate Grant Read Access",
"Description": "Grant read access to certificate for a specific user",
"ActionType": "Octopus.Script",
"Version": 12,
"Version": 13,
"Properties": {
"Octopus.Action.Script.ScriptBody": "# $certCN is the identifiying CN for the certificate you wish to work with\r\n# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.\r\n# Make sure we work with the most recent cert\r\n \r\n Try\r\n {\r\n $WorkingCert = Get-ChildItem CERT:\\LocalMachine\\My |where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP\r\n $TPrint = $WorkingCert.Thumbprint\r\n $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName\r\n if($TPrint){\r\n Write-Host \"Found certificate named $certCN with thumbprint $TPrint\"\r\n }\r\n else{\r\n throw \"Error: unable to locate certificate for $($CertCN)\"\r\n }\r\n }\r\n Catch\r\n {\r\n throw \"Error: unable to locate certificate for $($CertCN)\"\r\n }\r\n $keyPath = \"$env:SystemDrive\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\\"\r\n $fullPath=$keyPath+$rsaFile\r\n $acl=Get-Acl -Path $fullPath\r\n $permission=$userName,\"Read\",\"Allow\"\r\n $accessRule=new-object System.Security.AccessControl.FileSystemAccessRule $permission\r\n $acl.AddAccessRule($accessRule)\r\n Try \r\n {\r\n Write-Host \"Granting read access for user $userName on $certCN\"\r\n Set-Acl $fullPath $acl\r\n Write-Host \"Success: ACL set on certificate\"\r\n }\r\n Catch\r\n {\r\n throw \"Error: unable to set ACL on certificate\"\r\n }",
"Octopus.Action.Script.ScriptBody": "# $certCN is the identifiying CN for the certificate you wish to work with\r\n# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.\r\n# Make sure we work with the most recent cert\r\n\r\nTry\r\n{\r\n $WorkingCert = Get-ChildItem CERT:\\LocalMachine\\My | where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP\r\n}\r\nCatch\r\n{\r\n throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$TPrint = $WorkingCert.Thumbprint\r\nif($TPrint)\r\n{\r\n Write-Host \"Found certificate named $certCN with thumbprint $TPrint\"\r\n}\r\nelse\r\n{\r\n throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($WorkingCert)\r\nif ($null -eq $key) {\r\n throw \"Private key not found or unsupported algorithm (non-RSA).\"\r\n}\r\n\r\nif ($key -is [System.Security.Cryptography.CngKey] -or $key.GetType().Name -eq \"RSACng\") {\r\n $rsaFile = $key.Key.UniqueName\r\n $fullPath = \"$($env:ProgramData)\\Microsoft\\Crypto\\Keys\\$rsaFile\"\r\n} else {\r\n # Legacy CSP\r\n $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName\r\n $fullPath = \"$($env:ProgramData)\\Microsoft\\Crypto\\RSA\\MachineKeys\\$rsaFile\"\r\n}\r\n\r\n$acl = Get-Acl -Path $fullPath\r\n$permission = $userName,\"Read\",\"Allow\"\r\n$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission\r\n$acl.AddAccessRule($accessRule)\r\nTry \r\n{\r\n Write-Host \"Granting read access for user $userName on $certCN\"\r\n Set-Acl $fullPath $acl\r\n Write-Host \"Success: ACL set on certificate\"\r\n}\r\nCatch\r\n{\r\n throw \"Error: unable to set ACL on certificate\"\r\n}\r\n",
"Octopus.Action.Script.Syntax": "PowerShell"
},
"SensitiveProperties": {},
Expand All @@ -30,7 +30,7 @@
}
],
"LastModifiedOn": "2015-01-30T14:37:16.927+00:00",
Copy link
Copy Markdown
Contributor

@bcullman bcullman Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@farhanalam: I would suggest updating this LastModifedOn value
-OR-
I know of at least some templates that do not have a LastModifiedOn value, so removing it might also be an option. @twerthi , @hnrkndrssn?

"LastModifiedBy": "ARBNIK@skandianet.org",
"LastModifiedBy": "farhanalam",
"$Meta": {
"ExportedAt": "2015-01-30T14:39:14.212+00:00",
"OctopusVersion": "2.6.0.778",
Expand Down
Loading