Share via

Cert private key permission changes

Hardwick, Lewis 20 Reputation points
2026-04-13T19:13:26.4+00:00

Hello,

We're implementing a new Windows Event Collector using HTTPS.

I have followed various online guides from Microsoft and others and I have a working environment.

The only issue I ran in to was having to assign the NETWORK SERVICE account read only access to the private key on the workstation. I can easily add via certlm.mmc, but that's not feasible for 4,000+ endpoints. When running a script using icacls or Set-ACL, it adds the account successfully. But removes CREATOR OWNER.

My familiarity of this "account" is vague. If CREATOR OWNER is removed, will I expect catastrophic results?

The object is "owned" by the SYSTEM account, which also has Full Control (not inherited).

What am I doing wrong?

Thanks!

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments
Answer accepted by question author
  1. Jason Nguyen Tran 15,280 Reputation points Independent Advisor
    2026-04-13T22:07:16.1+00:00

    Hi Hardwick, Lewis,

    As far as I know, removing CREATOR OWNER from the ACL is not catastrophic in your scenario. CREATOR OWNER is a placeholder that grants the creator of an object special rights, but since your certificate private key is owned by SYSTEM (with Full Control), the absence of CREATOR OWNER does not break functionality. The NETWORK SERVICE account simply needs read access to the private key, and that’s what matters for your Windows Event Collector to work over HTTPS.

    When you use icacls or Set‑ACL, the tool rewrites the ACL and sometimes drops CREATOR OWNER because it’s not a standard SID like SYSTEM or NETWORK SERVICE. This is expected behavior and not a sign of corruption. As long as SYSTEM retains ownership and Full Control, and NETWORK SERVICE has read rights, your configuration is safe. You won’t see catastrophic failures just because CREATOR OWNER is missing.

    For scaling to thousands of endpoints, scripting with PowerShell and certutil is the recommended approach. You can automate granting NETWORK SERVICE read access without worrying about CREATOR OWNER. If you want to preserve the ACL exactly as it was, you can export the ACL before modification and re‑apply it after adding NETWORK SERVICE, but in practice this is not necessary.

    In short, you’re not doing anything wrong. The removal of CREATOR OWNER is normal, and your setup will continue to function correctly.

    I hope the response provided some helpful insight. If it addressed your issue, please consider marking it as Accept Answer so others facing the same problem can easily find the solution. If you need any further assistance, feel free to leave a comment.

    Jason.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-13T19:13:37.36+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For machine certificates on Windows 7 / Windows Server 2008 R2 that are deployed and renewed through Certificate Autoenrollment, private key permissions are controlled by the OS and can be reset on renewal.

    When a machine certificate is renewed by Autoenrollment, any custom ACLs on the private key can be lost and reset to the default values. The documented default private key permissions for a machine certificate are:

    • Local System – Full Control
    • Administrators – Full Control

    If custom permissions (for example, granting NETWORK SERVICE read access) are applied and the certificate is later renewed by Autoenrollment, those custom permissions can be removed and the ACL reset to the defaults above. This behavior is a known issue in Windows 7 / Windows Server 2008 R2 and is addressed by a hotfix that updates Certenroll.dll.

    To keep custom private key permissions from being lost on renewal in these OS versions, the environment must:

    1. Be running one of the affected OS versions (Windows 7 / Windows 7 SP1 / Windows Server 2008 R2 / Windows Server 2008 R2 SP1).
    2. Have the hotfix that updates Certenroll.dll to one of the fixed versions listed in the article installed.
    3. Be restarted after applying the hotfix.

    The hotfix is intended specifically to correct the problem where private key permissions are reset to default values when a machine certificate is renewed by Autoenrollment. It does not require registry changes and does not replace any previous hotfix.

    In this context, if CREATOR OWNER is being removed or custom ACEs are being altered when scripts or Autoenrollment run, the supported fix is to apply the Certenroll.dll hotfix on affected clients so that custom private key permissions (such as NETWORK SERVICE read access) are preserved across renewals.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.