Return to Question

I also looked at %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys and the permissions for the most recently modified private key "file" are as expected (i.e. no access for anyone).

Edit - I tried repeating the full process this morning, and now I get an error as expected. However, if I use yesterday's certificate thumprint I still get no error but they are set up the same. I've rebooted in case something was cached, but it made no difference.

Edit - I tried repeating the full process this morning, and now I get an error as expected. See my answer below.

I also looked at %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys and the permissions for the most recently modified private key "file" are as expected (i.e. no access for anyone).

Given that any arbitrary user on my system seems to be able to access the private key, even when all users are removed from "Manage Private Keys". What exactly does Manage Private Keys do? It seems like I've either got it completely wrong, or I'm missing something obvious.

Note - I can't use a user certificate store to secure the certificate because ultimately the certificate is for a non-interactive service account user (i.e. a user that does not have their own certificate store).

Edit - I tried repeating the full process this morning, and now I get an error as expected. However, if I use yesterday's certificate thumprint I still get no error but they are set up the same. I've rebooted in case something was cached, but it made no difference.

2. run certlm.msc

3. find the test.pfx certificate, right-click it and choose all tasks > manage private keys

4. remove everyone from the list, including administrators, so you get the message: "No groups or users have permission to access this object. However, the owner of this object can assign permissions." and click Ok.

5. double click the certificate, go to the details tab, select 'properties only' from the dropdown to get the thumbprint, and copy it and paste the thumbprint into notepad

6. open up visual studio (as a normal user, not an admin, i.e. a different account) and create a new console application, and enter the following code:

2. run certlm.msc

3. find the test.pfx certificate, right-click it and choose all tasks > manage private keys

4. remove everyone from the list, including administrators, so you get the message: "No groups or users have permission to access this object. However, the owner of this object can assign permissions." and click Ok.

5. double click the certificate, go to the details tab, select 'properties only' from the dropdown, click the thumbprint, and copy and paste the thumbprint into notepad

6. open up visual studio (as a normal user, not an admin, i.e. a different account) and create a new console application, and enter the following code: