In the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys directory there's an enumeration of Key Containers. The naming convention is <uniqueGUID>_<staticGUID> and I presume the <staticGUID> to be a machine identifier. Ultimately I want to be able to pair the Key Container with it's respective cert so I can target specific Key Files for ACL's. To do that I need to know how the <uniqueGUID> is derived and how it relates to certificates.
The Microsoft resources I've checked so far haven't elucidated an answer, but are great for reference:
Understanding Machine-Level and User-Level RSA Key Containers (IIS reference)
How to: Change the Security Permissions for the MachineKeys Directory
Best Answer
To solve your problem of finding which certificate goes with which key file for the purpose of modifying file system ACLs on the private key files, use this:
The file naming convention is x_y, where x is a random GUID to uniquely identify the key, and y is the machine GUID found at
HKLM\SOFTWARE\Microsoft\Cryptography.Some of these unique identifiers are well-known, such as some of these IIS ones:
But others are generated randomly.
Note that this information only applies to "Local Computer" or "Machine" certificates/keys. User certificates are stored in the corresponding user-specific locations on the file system and registry.