February 22, 2012 at 4:01 pm
Helllo all,
I have a database certificate named "Activation".
Took the back of the certificate to a shared location (have read/write permissions for this) with the following sql statement.
BACKUP CERTIFICATE Activation
TO FILE = N'\\Server\CertStore\Activation.cer'
The above SQL executed successfully; But The Certificate was not visible in the shared location.
To make the certificate to be available; I have to go Login to the Server and go the concerned folder and share the Certificate again. Then able to see the certificate on Shared location.
Is this a general issue ? Or I have to change any setting on my File / Folder level on my Server.
Thanks.
February 23, 2012 at 12:17 am
What share\NTFS permissions are set for Certstore?
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
March 1, 2012 at 4:47 pm
Got it fixed...
the reason for this issue;
Folder permissions are not enough. The files created (*.cer and *.pvk) will be ACL-ed by the creator instance to prevent any other account access, overwriting any permsision inherited from the folder permissions. You must explicitly grant read permissions on the two created files.
March 1, 2012 at 5:51 pm
Correct, this is a security issue. The service account is the one that gets them ACL'd. You need to change that, carefully, to allow an admin to see them.
Make sure you are careful about who has rights to these files. If they are open to too many people, then your certificates provide no security.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
March 2, 2012 at 12:00 am
The backup of the certificate will be encrypted so this should afford some protection, but as Steve said careful here who you provide access to!
anand_vanam (3/1/2012)
the reason for this issue;Folder permissions are not enough.
Folder permissions are enough as long as you understand how NTFS permissions work.
To access the files through the CertStore share you first need to ensure that the share permissions are sufficiently set to allow access for your desired users\groups.
Once this is done, you would then need to go to the security tab and select the advanced button. On the ACL definitions tab there is a checkbox to reset inheritance on child objects, doing this would force the ACL list onto child folders\files. This option should be used with extreme care as it may or may not be the correct action for that particular folder and it's child objects.
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply