I have a network folder and two machine accounts, node1$ and node2$, both of them having full control permission on the folder.
I log in a SQL Server instance in the node1 machine and back up a SQL Server certificate on the network folder, which generates a crt and a pvk files.
Then I log in node2 machine and try to restore the certificate in another SQL Server instance. But I can't because node2$ has no permissions on the requested files .crt and .pvk.
Even more, if I check the created files, the very node$1 machine account has no explicit permissions on these files. Instead, I find an "owner rights" ACE.
So, the files don't seem to inherit the permissions that node1$ and node2$ have on the folder.
This issue doesn't occur with other kind of files.
I can solve this by manually assigning explicit permissions on the files to node2$.
But my question is: why .crt and .pvk files don't inherit the permissions as other types of file do?
The documentation explains it:
When performing a backup, the files will be ACLd to the service account of the SQL Server instance. If you need to restore the certificate to a server running under a different account, you will need to adjust the permissions on the files so that they are able to be read by the new account.
As you already figured out: inheritance is disabled because the T-SQL command BACKUP CERTIFICATE explicitly removes all permissions but for the service account.