When you run software solutions that use TLS-secured communication channels, the applications need access to the certificate’s private key. The private key is part of the certificate stored in the local certificate store of the computer. In most cases, the software solution creates a new self-signed certificate and configures access rights appropriately.
When establishing TLS communication channels with external partners, a public SSL/TLS certificate is required.
The following step-by-step instructions describe how to assign Read permission for the Email Security Solution Gateway NoSpamProxy. In this case, the solution does not utilize a classic service account but a so-called virtual service account. Virtual service accounts provide much better access security when executing Windows services.
Open the local computer certificate store using the MMC Snap-Ins.
Select the certificate to use and open the context menu (right-click).
Select Manage Private Keys to manage the private key permissions.
Click Add and add the required service accounts.
In this case, the virtual service accounts are part of the local computer entity. Select the local computer and not the Active Directory domain as a source when searching accounts. Virtual accounts use the prefix NT Service.
Add the following accounts to configure read access for NoSpamProxy on a server with installed Gateway and Intranet roles.
NT Service\NetatworkMailGatewayIntranetRoleNT Service\NetatworkMailGatewayManagementServiceNT Service\NetatworkMailGatewayGatewayRoleNT Service\NetatworkMailGatewayPrivilegedService
Add the following accounts to configure read access for NoSpamProxy on a server having the Gateway role installed only.
NT Service\NetatworkMailGatewayManagementServiceNT Service\NetatworkMailGatewayGatewayRoleNT Service\NetatworkMailGatewayPrivilegedService
Click Check Names to verify the existence of the entered service accounts.
When correctly resolved, the account names are replaced by their respective display names. Click OK to add the accounts.
Configure read access for all added service accounts and click OK.
The software solution can now access the certificate’s private key.