zjorz/Permission-Private-Key-Associated-Certificate-For-Specific-Account.ps1

## Permission-Private-Key-Associated-Certificate-For-Specific-Account.ps1
$action                = "<ACTION TO EXECUTE>" # "SET" OR "CHECK"                 <= CONFIGURE THIS!!!!!
$account               = "<DOMAIN>\<SAMACCOUNTNAME>"                            # <= CONFIGURE THIS!!!!!
$certificateThumbprint = "<CERTIFICATE THUMBPRINT>"                             # <= CONFIGURE THIS!!!!!
$certStoreLocation     = "Cert:\LocalMachine\My"

Invoke-Command -ArgumentList $action,$account,$certificateThumbprint,$certStoreLocation -ScriptBlock {
	Param (
		$action,
		$account,
    $certificateThumbprint,
    $certStoreLocation
	)

	Clear-Host

	### FUNCTION: Permission Private Key
	Function permissionPrivateKey($certificate,$account,$action) {
		$machineKeysLocation = $ENV:ALLUSERSPROFILE + "\Microsoft\Crypto\RSA\MachineKeys\"
		$CertKeyFile = $certificate.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
		$CertKeyFileFullPath = $MachineKeysLocation + $CertKeyFile
		$CertKeyFileACL = Get-Acl $CertKeyFileFullPath

		# Set The New ACE On The Private Key
		If ($action -eq "SET") {
			$ace = $account,"Read,Synchronize","Allow"
			$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $ace
			$CertKeyFileACL.SetAccessRule($accessRule)
			$CertKeyFileACL | Set-Acl $CertKeyFileFullPath
		}

		# Check If The Service Account Has An ACE On The Private Key
		If ($action -eq "CHECK") {
			$accountACE = $CertKeyFileACL.Access | Where-Object{$_.AccessControlType -eq "Allow" -And $_.FileSystemRights -eq "Read, Synchronize" -And $_.IdentityReference -eq $account}
			If ($accountACE) {
				Return "aceEXISTS"
			} Else {
				Return "aceDOESNOTEXIST"
			}
		}
	}

	Write-Host ""
	Write-Host "###############################################################################" -Foregroundcolor Yellow
	Write-Host "###  Check Or Set Permissions On The Private Key Of The Chosen Certificate  ###" -Foregroundcolor Yellow
	Write-Host "###############################################################################" -Foregroundcolor Yellow

	$certificate = $null
	$certificate = Get-ChildItem $($certStoreLocation + "\" + $certificateThumbprint)

	If (-not [string]::IsNullOrEmpty($certificate)) {
		Write-Host ""
		Write-Host " => The Certificate With Thumbprint '$certificateThumbprint' Exists In The Certificate Store '$certStoreLocation'..." -ForegroundColor Green
		If (-not [string]::IsNullOrEmpty($certificate.HasPrivateKey)) {
			Write-Host ""
			Write-Host " => The Certificate With Thumbprint '$certificateThumbprint' Has A Private Key Associated..." -ForegroundColor Green

			If ($action.ToUpper() -eq "CHECK") {
				$aceStatusOnPrivKey = $null
				$aceStatusOnPrivKey = permissionPrivateKey $certificate $account CHECK
				If ($aceStatusOnPrivKey -eq "aceEXISTS") {
					Write-Host ""
					Write-Host " => The Private Key Of The Certificate With Thumbprint '$certificateThumbprint' Has An ACE For The Account '$account'..." -ForegroundColor Green
				} Else {
					Write-Host ""
					Write-Host " => The Private Key Of The Certificate With Thumbprint '$certificateThumbprint' DOES NOT Have An ACE For The Account '$account'..." -ForegroundColor Red
				}
			}

			If ($action.ToUpper() -eq "SET") {
				permissionPrivateKey $certificate $account SET
				Write-Host ""
				Write-Host " => The Private Key Of The Certificate With Thumbprint '$certificateThumbprint' Has Been Permissioned With 'Allow:Read' For The Account '$account'..." -ForegroundColor Green
			}
		} Else {
			Write-Host ""
			Write-Host " => The Certificate With Thumbprint '$certificateThumbprint' DOES NOT Have A Private Key Associated..." -ForegroundColor Red
		}
	} Else {
		Write-Host ""
		Write-Host " => The Certificate With Thumbprint '$certificateThumbprint' DOES NOT Exist In The Certificate Store '$certStoreLocation'..." -ForegroundColor Red
	}
	Write-Host ""
	Write-Host ""
}
	$action = "<ACTION TO EXECUTE>" # "SET" OR "CHECK" <= CONFIGURE THIS!!!!!
	$account = "<DOMAIN>\<SAMACCOUNTNAME>" # <= CONFIGURE THIS!!!!!
	$certificateThumbprint = "<CERTIFICATE THUMBPRINT>" # <= CONFIGURE THIS!!!!!
	$certStoreLocation = "Cert:\LocalMachine\My"

	Invoke-Command -ArgumentList $action,$account,$certificateThumbprint,$certStoreLocation -ScriptBlock {
	Param (
	$action,
	$account,
	$certificateThumbprint,
	$certStoreLocation
	)

	Clear-Host

	### FUNCTION: Permission Private Key
	Function permissionPrivateKey($certificate,$account,$action) {
	$machineKeysLocation = $ENV:ALLUSERSPROFILE + "\Microsoft\Crypto\RSA\MachineKeys\"
	$CertKeyFile = $certificate.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
	$CertKeyFileFullPath = $MachineKeysLocation + $CertKeyFile
	$CertKeyFileACL = Get-Acl $CertKeyFileFullPath

	# Set The New ACE On The Private Key
	If ($action -eq "SET") {
	$ace = $account,"Read,Synchronize","Allow"
	$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $ace
	$CertKeyFileACL.SetAccessRule($accessRule)
	$CertKeyFileACL \| Set-Acl $CertKeyFileFullPath
	}

	# Check If The Service Account Has An ACE On The Private Key
	If ($action -eq "CHECK") {
	$accountACE = $CertKeyFileACL.Access \| Where-Object{$_.AccessControlType -eq "Allow" -And $_.FileSystemRights -eq "Read, Synchronize" -And $_.IdentityReference -eq $account}
	If ($accountACE) {
	Return "aceEXISTS"
	} Else {
	Return "aceDOESNOTEXIST"
	}
	}
	}

	Write-Host ""
	Write-Host "###############################################################################" -Foregroundcolor Yellow
	Write-Host "### Check Or Set Permissions On The Private Key Of The Chosen Certificate ###" -Foregroundcolor Yellow
	Write-Host "###############################################################################" -Foregroundcolor Yellow

	$certificate = $null
	$certificate = Get-ChildItem $($certStoreLocation + "\" + $certificateThumbprint)

	If (-not [string]::IsNullOrEmpty($certificate)) {
	Write-Host ""
	Write-Host " => The Certificate With Thumbprint '$certificateThumbprint' Exists In The Certificate Store '$certStoreLocation'..." -ForegroundColor Green
	If (-not [string]::IsNullOrEmpty($certificate.HasPrivateKey)) {
	Write-Host ""
	Write-Host " => The Certificate With Thumbprint '$certificateThumbprint' Has A Private Key Associated..." -ForegroundColor Green

	If ($action.ToUpper() -eq "CHECK") {
	$aceStatusOnPrivKey = $null
	$aceStatusOnPrivKey = permissionPrivateKey $certificate $account CHECK
	If ($aceStatusOnPrivKey -eq "aceEXISTS") {
	Write-Host ""
	Write-Host " => The Private Key Of The Certificate With Thumbprint '$certificateThumbprint' Has An ACE For The Account '$account'..." -ForegroundColor Green
	} Else {
	Write-Host ""
	Write-Host " => The Private Key Of The Certificate With Thumbprint '$certificateThumbprint' DOES NOT Have An ACE For The Account '$account'..." -ForegroundColor Red
	}
	}

	If ($action.ToUpper() -eq "SET") {
	permissionPrivateKey $certificate $account SET
	Write-Host ""
	Write-Host " => The Private Key Of The Certificate With Thumbprint '$certificateThumbprint' Has Been Permissioned With 'Allow:Read' For The Account '$account'..." -ForegroundColor Green
	}
	} Else {
	Write-Host ""
	Write-Host " => The Certificate With Thumbprint '$certificateThumbprint' DOES NOT Have A Private Key Associated..." -ForegroundColor Red
	}
	} Else {
	Write-Host ""
	Write-Host " => The Certificate With Thumbprint '$certificateThumbprint' DOES NOT Exist In The Certificate Store '$certStoreLocation'..." -ForegroundColor Red
	}
	Write-Host ""
	Write-Host ""
	}
No results found