Support setting certificate permissions for the modern Key Storage Provider (#1675)

farhanalam · web-flow · commit 79a20d8bfe64 · 2026-04-20T23:33:01.000-07:00
* formatting

* Reduced nesting

* Support Key Storage Provider

Keeping legacy CSP support in place

* updated metadata

* updated metadata
diff --git a/step-templates/windows-certificate-grant-read-access.json b/step-templates/windows-certificate-grant-read-access.json
@@ -3,9 +3,9 @@
   "Name": "Windows  - Certificate Grant Read Access",
   "Description": "Grant read access to certificate for a specific user",
   "ActionType": "Octopus.Script",
-  "Version": 12,
+  "Version": 13,
   "Properties": {
-    "Octopus.Action.Script.ScriptBody": "# $certCN is the identifiying CN for the certificate you wish to work with\r\n# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.\r\n# Make sure we work with the most recent cert\r\n    \r\n    Try\r\n    {\r\n        $WorkingCert = Get-ChildItem CERT:\\LocalMachine\\My |where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP\r\n        $TPrint = $WorkingCert.Thumbprint\r\n        $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName\r\n        if($TPrint){\r\n            Write-Host \"Found certificate named $certCN with thumbprint $TPrint\"\r\n        }\r\n        else{\r\n            throw \"Error: unable to locate certificate for $($CertCN)\"\r\n        }\r\n    }\r\n    Catch\r\n    {\r\n      throw \"Error: unable to locate certificate for $($CertCN)\"\r\n    }\r\n    $keyPath = \"$env:SystemDrive\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\\"\r\n    $fullPath=$keyPath+$rsaFile\r\n    $acl=Get-Acl -Path $fullPath\r\n    $permission=$userName,\"Read\",\"Allow\"\r\n    $accessRule=new-object System.Security.AccessControl.FileSystemAccessRule $permission\r\n    $acl.AddAccessRule($accessRule)\r\n    Try \r\n    {\r\n        Write-Host \"Granting read access for user $userName on $certCN\"\r\n     Set-Acl $fullPath $acl\r\n      Write-Host \"Success: ACL set on certificate\"\r\n    }\r\n    Catch\r\n    {\r\n      throw \"Error: unable to set ACL on certificate\"\r\n    }",
+    "Octopus.Action.Script.ScriptBody": "# $certCN is the identifiying CN for the certificate you wish to work with\r\n# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.\r\n# Make sure we work with the most recent cert\r\n\r\nTry\r\n{\r\n    $WorkingCert = Get-ChildItem CERT:\\LocalMachine\\My | where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$TPrint = $WorkingCert.Thumbprint\r\nif($TPrint)\r\n{\r\n    Write-Host \"Found certificate named $certCN with thumbprint $TPrint\"\r\n}\r\nelse\r\n{\r\n    throw \"Error: unable to locate certificate for $($CertCN)\"\r\n}\r\n\r\n$key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($WorkingCert)\r\nif ($null -eq $key) {\r\n    throw \"Private key not found or unsupported algorithm (non-RSA).\"\r\n}\r\n\r\nif ($key -is [System.Security.Cryptography.CngKey] -or $key.GetType().Name -eq \"RSACng\") {\r\n    $rsaFile = $key.Key.UniqueName\r\n    $fullPath = \"$($env:ProgramData)\\Microsoft\\Crypto\\Keys\\$rsaFile\"\r\n} else {\r\n    # Legacy CSP\r\n    $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName\r\n    $fullPath = \"$($env:ProgramData)\\Microsoft\\Crypto\\RSA\\MachineKeys\\$rsaFile\"\r\n}\r\n\r\n$acl = Get-Acl -Path $fullPath\r\n$permission = $userName,\"Read\",\"Allow\"\r\n$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission\r\n$acl.AddAccessRule($accessRule)\r\nTry \r\n{\r\n    Write-Host \"Granting read access for user $userName on $certCN\"\r\n    Set-Acl $fullPath $acl\r\n    Write-Host \"Success: ACL set on certificate\"\r\n}\r\nCatch\r\n{\r\n    throw \"Error: unable to set ACL on certificate\"\r\n}\r\n",
     "Octopus.Action.Script.Syntax": "PowerShell"
   },
   "SensitiveProperties": {},
@@ -29,11 +29,11 @@
       }
     }
   ],
-  "LastModifiedOn": "2015-01-30T14:37:16.927+00:00",
-  "LastModifiedBy": "ARBNIK@skandianet.org",
+  "LastModifiedOn": "2026-04-16T08:20:36.117-05:00",
+  "LastModifiedBy": "farhanalam",
   "$Meta": {
-    "ExportedAt": "2015-01-30T14:39:14.212+00:00",
-    "OctopusVersion": "2.6.0.778",
+    "ExportedAt": "2026-04-16T13:19:49.359Z",
+    "OctopusVersion": "2026.1.11242",
     "Type": "ActionTemplate"
   },
   "Category": "windows"
