Windows_certificate assigning acl issue

I'm trying to use windows_certificate to import a PFX file and give a user access to the private key. My recipe looks something like this

windows_certificate 'mycert' do
source 'c:/temp/mycert.pfx'
pfx_password 'password'
private_key_acl ['appuser']

importing the certificate works fine but user isn't being added to the private key. Looking at the cert in MMC, instead of the user being added I see "LogonSessionId_0..." has been added with read permissions. I can manually add the user.

is there some step that I'm missing?