Error replacing self-signed search certificate for FAST – Could not set access rights on certificates private keys

I have a test environment with SharePoint 2010 and FAST installed, and am using the self-signed certificates to enable FAST to communicate with SharePoint and vice-versa. My self-signed certificate expired, so I generated a new one using:

.\ReplaceDefaultCertificate.ps1 -generateNewCertificate $true

When I then tried to secure the FAST search connector via the Powershell command:

.\securefastsearchconnector.ps1 -certPath "" -ssaName "FASTSSA" -userName "<user name for osearch14"

I got an error when the script was trying to set Read/Execute permission on the certificate private key:

Could not set access rights on certificates private keys. Script can be rerun to only set access rights when reason for error is detected.

as well as:

Set-Acl : Attempted to perform an unauthorized operation

I tried several different methods to resolve, including setting the ownership of the file in script use TAKEOWN, but it wouldn’t work. Eventually I had to hack the securefastsearchconnector.ps1 file and comment out the line that set the ACL, as well as printing out what it was trying to do:

write-host "setting ACL for " $keypath$keyname " to " $script:userName
#set-acl -aclobject $acl $keypath$keyname

the output was then:

setting ACL for [full path to cert private key] to [user account of osearch14]

This effectively bypasses the setting of the ACL, and I then used the full path of the cert private key to manually add Read/Execute permission to my osearch14 account.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: