There’s a fairly in-depth example script posted here: Post Request Script examples - #4 by andresr
This is beyond the simple scripts we have built-in (which are here: certify-plugins/src/DeploymentTasks/Core/Providers/Assets at development · webprofusion/certify-plugins · GitHub) but I note that it has a script block to set the ACL, in this case it takes the last key written and sets the permission on that:
$FilePath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"
$File = Get-ChildItem $FilePath | Sort-Object LastWriteTime -Descending | Select-Object -First 1
# Specify account
$Account = "NT AUTHORITY\NETWORK SERVICE"
# Get current ACL on the private key
$ACL = Get-Acl -Path $File.FullName
# Set new rule
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$Account", "Read", "Allow")
# Add rule to the ACL
$ACL.AddAccessRule($rule)
# Set new ACL to the private key
Set-Acl -Path $File.FullName -AclObject $ACL