While playing around with WCF's security, I stumbled on an easy way to change a certificate's ACL using MMC.EXE

So start MMC.exe and add the certificate's snap-in:

This will now list all your certificates (depending on the store you selected).

Now right-click your certificate and choose Manage Private Keys…

This will open up the permissions screen; I've added NETWORK SERVICE to allow a WCF service to read the certificate:

This does beat the hell out of using the FindPrivateKey.exe tool and then using CACL XXX /E /G NETWORK SERVICE:R