Update Certificate Permissions with PowerShell

In a recently encountered an issue with certificates that were imported on several servers, but unfortunately, the proper permissions were not applied to them. Rather than tediously opening each certificate and updating permissions manually, we decided to leverage the power of PowerShell to automate the process.

With just a few lines of code, we were able to grant full control to the Network Service for the affected certificates. Essentially, we utilized PowerShell's ability to set Access Control Lists (ACLs) for files and folders, but in this case, we had to obtain the certificate that was already installed on the machine using the Cert:\ path.

# Apply Network Service Permissions to Certificate using Thumbprint Only
$Cert_Thumbprint = "Cert_Thumbprint"
$Cert = Get-ChildItem Cert:\LocalMachine\My\$Cert_Thumbprint
$Cert_RSA = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Cert)
$Filename = $Cert_RSA.UniqueName
$Path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\RSA\MachineKeys\$Filename"
$Permissions = Get-Acl -Path $path
$NewPermission = New-Object System.Security.AccessControl.FileSystemAccessRule "NT AUTHORITY\NETWORK SERVICE", "FullControl", allow
$Permissions.AddAccessRule($NewPermission)
Set-Acl -Path $Path -AclObject $Permissions

As usual if you have a different or better way to do this feel free to leave a comment below.