Devolutions
diff --git a/‎package/WindowsManaged/Actions/CustomActions.cs‎
Lines changed: 76 additions & 0 deletions b/‎package/WindowsManaged/Actions/CustomActions.cs‎
Lines changed: 76 additions & 0 deletions
diff --git a/‎package/WindowsManaged/Actions/GatewayActions.cs‎
Lines changed: 37 additions & 1 deletion b/‎package/WindowsManaged/Actions/GatewayActions.cs‎
Lines changed: 37 additions & 1 deletion
@@ -28,6 +28,8 @@
 using WixSharp;
 using static DevolutionsGateway.Actions.WinAPI;
 using File = System.IO.File;
+using StoreLocation = System.Security.Cryptography.X509Certificates.StoreLocation;
+using StoreName = System.Security.Cryptography.X509Certificates.StoreName;
 
 namespace DevolutionsGateway.Actions
 {
@@ -1069,6 +1071,80 @@ public static ActionResult SetProgramDataDirectoryPermissions(Session session)
             }
         }
 
+        [CustomAction]
+        public static ActionResult SetCertificatePrivateKeyPermissions(Session session)
+        {
+            try
+            {
+                // Skip when the gateway will auto-generate a certificate — the selected system-store
+                // cert (if any) isn't actually being used in that case.
+                if (session.Get(GatewayProperties.configureWebApp) && session.Get(GatewayProperties.generateCertificate))
+                {
+                    session.Log("certificate is being auto-generated; skipping private key permission grant");
+                    return ActionResult.Success;
+                }
+
+                StoreLocation location = session.Get(GatewayProperties.certificateLocation);
+                StoreName storeName = session.Get(GatewayProperties.certificateStore);
+                string subjectName = session.Get(GatewayProperties.certificateName);
+
+                if (string.IsNullOrWhiteSpace(subjectName))
+                {
+                    session.Log("certificateName is empty; skipping private key permission grant");
+                    return ActionResult.Success;
+                }
+
+                // Use the same selection logic the Gateway service uses at startup. Fresh installs
+                // initialize gateway.json with tls_verify_strict=true (devolutions-gateway/src/config.rs
+                // generate_new), so we apply the strict filter here too.
+                CertificateSelection.Result selection = CertificateSelection.Select(
+                    location, storeName, subjectName, strictMode: true);
+
+                if (selection.Selected == null)
+                {
+                    if (selection.AllFiltered)
+                    {
+                        session.Log($"found {selection.MatchCount} certificate(s) matching subject {subjectName} in {location}\\{storeName}, but all were filtered out by strict-mode prerequisites (issues: {selection.FilteredReasons})");
+                    }
+                    else
+                    {
+                        session.Log($"no certificate matching subject {subjectName} found in {location}\\{storeName}");
+                    }
+                    return ActionResult.Success;
+                }
+
+                try
+                {
+                    X509Certificate2 certificate = selection.Selected;
+                    session.Log($"selected certificate {certificate.Thumbprint} (NotAfter={certificate.NotAfter:o}) for subject {subjectName}");
+
+                    if (PrivateKeyPermissions.HasNetworkServiceReadPermission(certificate))
+                    {
+                        session.Log("NETWORK SERVICE already has Read access to the certificate's private key");
+                        return ActionResult.Success;
+                    }
+
+                    if (PrivateKeyPermissions.TryGrantNetworkServiceReadPermission(certificate, out Exception grantError))
+                    {
+                        session.Log("granted NETWORK SERVICE Read access to the certificate's private key");
+                        return ActionResult.Success;
+                    }
+
+                    session.Log($"failed to grant NETWORK SERVICE Read access to the certificate's private key: {grantError}");
+                }
+                finally
+                {
+                    selection.Selected.Dispose();
+                }
+            }
+            catch (Exception e)
+            {
+                session.Log($"unexpected error setting certificate private key permissions: {e}");
+            }
+
+            return ActionResult.Success;
+        }
+
         [CustomAction]
         public static ActionResult SetUsersDatabaseFilePermissions(Session session)
         {
 
@@ -354,13 +354,48 @@ internal static class GatewayActions
         hide: true // Don't print the custom action data to logs, it might contain a password
     );
 
+    /// <summary>
+    /// Grant NETWORK SERVICE Read permission on the selected system store certificate's private key
+    /// </summary>
+    /// <remarks>
+    /// The Gateway service runs as NETWORK SERVICE and needs Read access on the private key file.
+    /// Best effort: failures are logged but do not fail the install. Only fires when a system-store
+    /// certificate is selected and the gateway is not auto-generating one.
+    /// </remarks>
+    private static readonly ElevatedManagedAction setCertificatePrivateKeyPermissions = new(
+        new Id($"CA.{nameof(setCertificatePrivateKeyPermissions)}"),
+        CustomActions.SetCertificatePrivateKeyPermissions,
+        Return.ignore,
+        When.After, new Step(configureCertificate.Id),
+        new Condition(string.Join(" AND ", new[]
+        {
+            "(NOT Installed OR REINSTALL)",
+            $"({GatewayProperties.configureGateway.Equal(true)})",
+            $"({GatewayProperties.certificateMode.Equal(Constants.CertificateMode.System)})",
+            $"({GatewayProperties.httpListenerScheme.Equal(Constants.HttpsProtocol)})",
+            $"({GatewayProperties.configureNgrok.Equal(false)})",
+        })),
+        Sequence.InstallExecuteSequence)
+    {
+        Execute = Execute.deferred,
+        Impersonate = false,
+        UsesProperties = UseProperties(new IWixProperty[]
+        {
+            GatewayProperties.certificateLocation,
+            GatewayProperties.certificateStore,
+            GatewayProperties.certificateName,
+            GatewayProperties.configureWebApp,
+            GatewayProperties.generateCertificate,
+        }),
+    };
+
     /// <summary>
     /// Configure the public key using PowerShell
     /// </summary>
     private static readonly ElevatedManagedAction configurePublicKey = BuildConfigureAction(
         $"CA.{nameof(configurePublicKey)}",
         CustomActions.ConfigurePublicKey,
-        When.After, new Step(configureCertificate.Id),
+        When.After, new Step(setCertificatePrivateKeyPermissions.Id),
         new IWixProperty[]
         {
             GatewayProperties.publicKeyFile,
@@ -500,6 +535,7 @@ private static ElevatedManagedAction BuildConfigureAction(
         configureAccessUri,
         configureListeners,
         configureCertificate,
+        setCertificatePrivateKeyPermissions,
         configureNgrokListeners,
         configurePublicKey,
         configureWebApp,