System Certificate Store Permissions
To allow Signotaur to access certificates with private keys in the system certificate store, the domain user account running the service needs specific permissions. This guide explains how to set these permissions.
Required Permissions
- Read: Allows the account to view certificate details.
- Read Key: Grants access to the private key associated with a certificate, enabling Signotaur to perform operations like signing or decrypting data with that key.
Note: Without Read Key permission, Signotaur won’t be able to use private keys for cryptographic operations.
Setting Up Permissions for the System Certificate Store
To configure permissions for a certificate in the system certificate store:
Step 1: Open the Certificate Manager
- Run
mmc.exe (Microsoft Management Console).
- Go to File > Add/Remove Snap-in.
- Select Certificates and click Add.
- Choose Computer account and then Local computer to access the system certificate store.
Step 2: Navigate to the Certificate
- In the MMC console, expand Certificates (Local Computer).
- Locate the certificate that Signotaur needs to access, typically found under Personal or Trusted Root Certification Authorities.
Step 3: Edit Permissions for the Certificate
- Right-click on the certificate and select All Tasks > Manage Private Keys.
- In the Permissions window, click Add to add the domain user account running Signotaur.
- Grant the account Read and Read Key permissions by doing the following:
- Select the account, then check Read and Full Control (or Read Key if available).
- Click Apply to save the changes.
Step 4: Verify Permissions
- Open the certificate properties to confirm that the domain user account has the required permissions.
- Optionally, test a signing or decryption operation to confirm that the application can access the private key.
By following these steps, you ensure that Signotaur has the necessary access to certificates with private keys, enabling it to perform cryptographic functions as intended.