Windows - Certificate Grant Read Access

Octopus.Script exported 2026-04-16 by farhanalam belongs to ‘Windows’ category.

Grant read access to certificate for a specific user

Parameters

When steps based on the template are included in a project’s deployment process, the parameters below can be set.

Certificate Name

certCN

The CN of the Certificate

User name

userName

The Windows user

Script body

Steps based on this template will execute the following PowerShell script.

# $certCN is the identifiying CN for the certificate you wish to work with
# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.
# Make sure we work with the most recent cert

Try
{
    $WorkingCert = Get-ChildItem CERT:\LocalMachine\My | where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP
}
Catch
{
    throw "Error: unable to locate certificate for $($CertCN)"
}

$TPrint = $WorkingCert.Thumbprint
if($TPrint)
{
    Write-Host "Found certificate named $certCN with thumbprint $TPrint"
}
else
{
    throw "Error: unable to locate certificate for $($CertCN)"
}

$key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($WorkingCert)
if ($null -eq $key) {
    throw "Private key not found or unsupported algorithm (non-RSA)."
}

if ($key -is [System.Security.Cryptography.CngKey] -or $key.GetType().Name -eq "RSACng") {
    $rsaFile = $key.Key.UniqueName
    $fullPath = "$($env:ProgramData)\Microsoft\Crypto\Keys\$rsaFile"
} else {
    # Legacy CSP
    $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
    $fullPath = "$($env:ProgramData)\Microsoft\Crypto\RSA\MachineKeys\$rsaFile"
}

$acl = Get-Acl -Path $fullPath
$permission = $userName,"Read","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.AddAccessRule($accessRule)
Try 
{
    Write-Host "Granting read access for user $userName on $certCN"
    Set-Acl $fullPath $acl
    Write-Host "Success: ACL set on certificate"
}
Catch
{
    throw "Error: unable to set ACL on certificate"
}

Provided under the Apache License version 2.0.

Report an issue

To use this template in Octopus Deploy, copy the JSON below and paste it into the Library → Step templates → Import dialog.

{
  "Id": "cf6f35bf-b3e0-4285-98be-dcb509ab2ef9",
  "Name": "Windows  - Certificate Grant Read Access",
  "Description": "Grant read access to certificate for a specific user",
  "Version": 13,
  "ExportedAt": "2026-04-16T13:19:49.359Z",
  "ActionType": "Octopus.Script",
  "Author": "farhanalam",
  "Parameters": [
    {
      "Name": "certCN",
      "Label": "Certificate Name",
      "HelpText": "The CN of the Certificate",
      "DefaultValue": null,
      "DisplaySettings": {
        "Octopus.ControlType": "SingleLineText"
      }
    },
    {
      "Name": "userName",
      "Label": "User name",
      "HelpText": "The Windows user",
      "DefaultValue": null,
      "DisplaySettings": {
        "Octopus.ControlType": "SingleLineText"
      }
    }
  ],
  "Properties": {
    "Octopus.Action.Script.ScriptBody": "# $certCN is the identifiying CN for the certificate you wish to work with\n# The selection also sorts on Expiration date, just in case there are old expired certs still in the certificate store.\n# Make sure we work with the most recent cert\n\nTry\n{\n    $WorkingCert = Get-ChildItem CERT:\\LocalMachine\\My | where {$_.Subject -match $certCN} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP\n}\nCatch\n{\n    throw \"Error: unable to locate certificate for $($CertCN)\"\n}\n\n$TPrint = $WorkingCert.Thumbprint\nif($TPrint)\n{\n    Write-Host \"Found certificate named $certCN with thumbprint $TPrint\"\n}\nelse\n{\n    throw \"Error: unable to locate certificate for $($CertCN)\"\n}\n\n$key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($WorkingCert)\nif ($null -eq $key) {\n    throw \"Private key not found or unsupported algorithm (non-RSA).\"\n}\n\nif ($key -is [System.Security.Cryptography.CngKey] -or $key.GetType().Name -eq \"RSACng\") {\n    $rsaFile = $key.Key.UniqueName\n    $fullPath = \"$($env:ProgramData)\\Microsoft\\Crypto\\Keys\\$rsaFile\"\n} else {\n    # Legacy CSP\n    $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName\n    $fullPath = \"$($env:ProgramData)\\Microsoft\\Crypto\\RSA\\MachineKeys\\$rsaFile\"\n}\n\n$acl = Get-Acl -Path $fullPath\n$permission = $userName,\"Read\",\"Allow\"\n$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission\n$acl.AddAccessRule($accessRule)\nTry \n{\n    Write-Host \"Granting read access for user $userName on $certCN\"\n    Set-Acl $fullPath $acl\n    Write-Host \"Success: ACL set on certificate\"\n}\nCatch\n{\n    throw \"Error: unable to set ACL on certificate\"\n}\n",
    "Octopus.Action.Script.Syntax": "PowerShell"
  },
  "Category": "Windows",
  "HistoryUrl": "https://github.com/OctopusDeploy/Library/commits/master/step-templates/windows-certificate-grant-read-access.json",
  "Website": "/step-templates/cf6f35bf-b3e0-4285-98be-dcb509ab2ef9",
  "Logo": "iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAMAAACahl6sAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAADNQTFRF////Da3qSsLvhtb0wur6O7zuWcfxldv2aMzyK7ftpOD3s+X48Pr+0fD7d9HzHLLr4fX8xD/OcwAAAaNJREFUeNrs3cFygjAUQFECWott1f//2sJoW6kIKEzNs+euXOmcmSSGDa8oJEmSJEmSJGmsj1W1K9cpsGD1Vr2WdToVEPC+2lYvZfpVrEW0qZpF1F+MRdRugzoNlvkiarfBPk0pT8GhWUSX2yASpDlLr2+DEJBmEY1ug6whx7N0n2b30G1QlmmxHsRYp6X76yvF9vg5RYQczq8UVURI35UiFmTgShED0p6lI1eKzCHTrxS5Qk6PZ9PLDtJ9PIsJmXWlyAky6/dAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQMJCyjltF/iO3gpJUpD8s4OAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID8T8itwwKyhbTdMr4ha8hXUwZqhICcOgyNOIkE+V5wo4MSgr1u/fp7poO+AL8K/gL8yw0UeyRB34m9iQ/pVD8L5JYTO3NI58R+AsiEEzsW5OfE3sUe/zRwYkeGnG2g2CPS7rhjF4GKP0ZwyoldxK37kFqEL/7wU0mSJEmSJOmJ+xRgAHxZTCXGdZkfAAAAAElFTkSuQmCC",
  "$Meta": {
    "Type": "ActionTemplate"
  }
}

History

Page updated on Thursday, April 16, 2026