While playing around with WCF's security, I stumbled on an easy way to change a certificate's ACL using MMC.EXE
So start MMC.exe and add the certificate's snap-in:
This will now list all your certificates (depending on the store you selected).
Now right-click your certificate and choose Manage Private Keys…
This will open up the permissions screen; I've added NETWORK SERVICE to allow a WCF service to read the certificate:
This does beat the hell out of using the FindPrivateKey.exe tool and then using CACL XXX /E /G NETWORK SERVICE:R